When you think about all of the many, many types of resources we have on our networks and on the internet in general, the idea of giving people access to different types of resources can be boggling. I mean, I've got some little cameras in my house that I can get people to have access to just by typing in a username and a password. But I have Windows file servers that require people to be members of domains that have all types of authentication and authorization controls to it. So the idea of controlling access to resources is a really, really big deal. Now the first thing I want to do is make sure we're aware of the three types of access control that you're going to see on the exam. When we talk about authorization models, what we're talking about is how over time, have we developed the concept of how we apply authorization mainly to resources more than anything else?
So this is almost more of a permissions issue than anything else. Now, back in If you go way back in time, like in the 50s or so, we would use what was known as a mandatory access control a mandatory access control work by taking some chunk a resource. Keep in mind a lot of this predates computers and labeling it in some fashion. And based on what type of permission, you had determined what type of labels you could read, probably the most classic example here in the US is top secret, secret, confidential or public, where we separate based on the type of clearance somebody has, and they back in the old days, they would physically label different types of documents. Now, that actually did tie into the computer world a little bit. But mandatory access control as a concept doesn't really work that perfectly in the computer world.
Instead, what we have are what are known as discretionary access controls. A discretionary access control simply means that whoever created the resource whoever wrote the word document whoever set up that Excel data database is the creator owner. And as the creator owner, they have discretion about who they can apply that type of access to. So if I create this database, I, as the creator owner can say you get this type of permission, you get that type of permission. There's nothing wrong with discretionary access controls, but it missed one really, really important feature. And that is the concept of roles.
People have different roles when it comes to data. They might just be a user, they might be a supervisor, they might be the creator owner of it. So the third type of strategy and the one we see more commonly than anything else is known as a role based access control. Most modern operating systems subscribe to the concept of role based access control allows you to apply access controls to resource by your role in the windows world that manifests beautifully in groups. So we'll have a group called bosses will have a group called administrators or we can have a group called accountants and based on that Rule, we can apply different types of rights and permissions so that the people can do the job that they need to do. In order to make access control work, we have to have access control lists.
Now, anything that needs access control is going to have some kind of access control list. An access control list could just be a list of usernames and passwords. It could be a big, complicated database, it could be anything. And it manifests in a lot of different ways. So what I want to do is kind of march through some different types of access control lists you might run into in the real world. So one of the first place I'd like to start is with a little old Cisco router that I have up and running is my VPN.
So right over here, I've got a putty connection to this old Cisco router that does nothing more than acts as a VPN endpoint for me, so what I'm going to do I'm going to run it a little command here. And if you take a look right here, you're going to see that I have certain types of permission, I'm permitting particular IP addresses to do certain things. Now, if you look really close, you're gonna see it says permit, permit, permit permit permit. And there's a reason for that. And that's because any good access control list is going to have what we call an implicit deny, which basically means unless you specifically allow something to happen, it's not going to happen. So implicit deny is an important point that we see with pretty much any form of access list.
Alright, so that is actually a very simple ACL on a Cisco router. Let me show you another one I happen to have, let's see, I've got a little SSH server running here. So I've got this SSH server running. Now if we come over here to users, you're going to see that I have three different users right here. This is the ACL for this. And not only does it have username and password words, but also defines what that user can do.
Within that particular function, in this case, just logging into an SSH server. Now we see this type of access control list all over the place. So let me minimize this. So in this case, what I want to do is I've just got a regular Windows system up here. And let's take a look at NTFS permissions. So in this case, I've already got it typed.
I'm going to run a command called I cackles. And you can see exactly who has what rights to this one particular folder. So you can see there's administrators and users and system and a few other things in there as well. So that's really the only serious secret when it comes to access control list. Make sure you understand that pretty much anything that needs to control access is going to have some kind of access control lists, there's no way we can tell you the 10,000 different ways that manifests. The type of access controls are going to be controlled very much by the resource itself.
And also remember that in any given case, an implicit deny is always going to be there. Which means unless you specifically say something can happen, it's not going to take place.