ISC2---CyberSecurity课程笔记---第三章、访问控制

第三章、访问控制

模块 1：了解访问控制概念（D3.1、D3.2）

让我们更详细地了解每个信息安全专业人员应该熟悉的访问控制类型。我们将讨论物理控制和逻辑控制，以及如何将它们结合起来以加强组织的整体安全性。这是我们描述谁可以访问什么、为什么需要访问以及如何管理该访问的地方。

控制是旨在保护数据的机密性、完整性和可用性的保障措施或对策。这当然是CIA三元组。

访问控制涉及根据什么规则限制什么客体可以被什么主体使用。我们将在本章后面进一步定义客体、主体和规则。现在，请记住这三个词，因为它们是我们将建立的基础。

控制的一个简单示例是防火墙，它包含在系统或网络中，以防止来自外部的东西进入并干扰或破坏环境。防火墙还可以防止内部信息进入网络，未经授权的个人可以查看或访问这些信息。

A control is a safeguard or countermeasure designed to preserve Confidentiality, Integrity and Availability of data. This, of course, is the CIA Triad.

Access control involves limiting what objects can be available to what subjects according to what rules. We will further define objects, subjects and rules later in this chapter. For now, remember these three words, as they are the foundation upon which we will build.

One brief example of a control is a firewall, which is included in a system or network to prevent something from the outside from coming in and disturbing or compromising the environment. The firewall can also prevent information on the inside from going out into the Web where it could be viewed or accessed by unauthorized individuals.

control overviews

可以说，访问控制是信息安全计划的核心。在本课程的早些时候，我们通过风险管理、治理、事件响应、业务连续性和灾难恢复的基础研究了安全原则。但归根结底，安全性都归结为“谁可以访问组织资产（建筑物、数据、系统等），他们在获得访问权后能做什么？”

访问控制不仅仅是限制对信息系统和数据的访问，还包括允许访问。它是关于授予授权人员和流程适当级别的访问权限，并拒绝访问未经授权的功能或个人。

主体

• A subject can be defined as any entity that requests access to our assets. The entity requesting access may be a user, a client, a process or a program, for example. A subject is the initiator of a request for service; therefore, a subject is referred to as “active.”
  主体可以定义为请求访问我们资产的任何实体。例如，请求访问的实体可以是用户、客户端、进程或程序。主体是服务请求的发起者;因此，主体被称为“活动”。

  A subject: 一个主题：

  • Is a user, a process, a procedure, a client (or a server), a program, a device such as an endpoint, workstation, smartphone or removable storage device with onboard firmware.
    是用户、进程、过程、客户端（或服务器）、程序、设备（如端点、工作站、智能手机或具有板载固件的可移动存储设备）。
  • Is active: It initiates a request for access to resources or services.
    处于活动状态：它发起访问资源或服务的请求。
  • Requests a service from an object.
    从对象请求服务。
  • Should have a level of clearance (permissions) that relates to its ability to successfully access services or resources.
    应具有与其成功访问服务或资源的能力相关的许可级别（权限）

客体 对象

By definition, anything that a subject attempts to access is referred to as an object. An object is a device, process, person, user, program, server, client or other entity that responds to a request for service. Whereas a subject is active in that it initiates a request for a service, an object is passive in that it takes no action until called upon by a subject. When requested, an object will respond to the request it receives, and if the request is wrong, the response will probably not be what the subject really wanted either.
根据定义，主体尝试访问的任何内容都称为对象。对象是响应服务请求的设备、进程、人员、用户、程序、服务器、客户端或其他实体。主体是主动的，因为它发起了对服务的请求，而对象是被动的，因为它在被主体调用之前不执行任何操作。当请求时，对象将响应它收到的请求，如果请求是错误的，响应可能也不是主体真正想要的。

Note that by definition, objects do not contain their own access control logic. Objects are passive, not active (in access control terms), and must be protected from unauthorized access by some other layers of functionality in the system, such as the integrated identity and access management system. An object has an owner, and the owner has the right to determine who or what should be allowed access to their object. Quite often the rules of access are recorded in a rule base or access control list.
请注意，根据定义，对象不包含自己的访问控制逻辑。对象是被动的，不是主动的（在访问控制术语中），并且必须通过系统中的一些其他功能层（例如集成的身份和访问管理系统）来保护对象免受未经授权的访问。对象具有所有者，所有者有权确定应允许谁或什么访问其对象。通常，访问规则记录在规则库或访问控制列表中。

An object: 一个对象：

• Is a building, a computer, a file, a database, a printer or scanner, a server, a communications resource, a block of memory, an input/output port, a person, a software task, thread or process.
  是建筑物、计算机、文件、数据库、打印机或扫描仪、服务器、通信资源、内存块、输入/输出端口、人员、软件任务、线程或进程。
• Is anything that provides service to a user.
  是向用户提供服务的任何内容。
• Is passive. 是被动的。
• Responds to a request.
  响应请求。
• May have a classification.
  可能有分类。

规则 Rule

• An access rule is an instruction developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. One example of a rule is a firewall access control list. By default, firewalls deny access from any address to any address, on any port. For a firewall to be useful, however, it needs more rules. A rule might be added to allow access from the inside network to the outside network. Here we are describing a rule that allows access to the object “outside network” by the subject having the address “inside network.” In another example, when a user (subject) attempts to access a file (object), a rule validates the level of access, if any, the user should have to that file. To do this, the rule will contain or reference a set of attributes that define what level of access has been determined to be appropriate.
  访问规则是一种指令，旨在通过将主体的验证身份与访问控制列表进行比较来允许或拒绝对对象的访问。规则的一个示例是防火墙访问控制列表。默认情况下，防火墙拒绝从任何地址访问任何端口上的任何地址。但是，要使防火墙有用，它需要更多的规则。可以添加一个规则以允许从内部网络访问外部网络。在这里，我们描述了一个规则，该规则允许具有地址为“内部网络”的主体访问对象“外部网络”。在另一个示例中，当用户（主体）尝试访问文件（对象）时，规则将验证用户对该文件的访问级别（如果有）。为此，规则将包含或引用一组属性，这些属性定义已确定为适当的访问级别。

  A rule can: 规则可以：

  • Compare multiple attributes to determine appropriate access.
    比较多个属性以确定适当的访问权限。
  • Allow access to an object.
    允许访问对象。
  • Define how much access is allowed.
    定义允许的访问权限。
  • Deny access to an object.
    拒绝对对象的访问。
  • Apply time-based access.
    应用基于时间的访问。

旁白: 控制用于将风险降低到个人或组织的风险承受能力范围内。物理控制将是安全带。行政控制将是要求使用安全带的法律。这两者都有助于将驾驶风险降低到驾驶员和社会可以接受的程度。

另一个非技术示例是高书架。由于高书架有倾倒并可能伤害某人的风险，许多当地建筑规范或法规要求书架使用带子或支架固定在墙上。在这种情况下，风险是对人的伤害。逻辑控制是建筑规范，而货架与墙壁的实际连接是物理控制。逻辑控制和物理控制协同工作以降低风险。

Defense in Depth 纵深防御

As you can see, we are not just looking at system access. We are looking at all access permissions including building access, access to server rooms, access to networks and applications and utilities. These are all implementations of access control and are part of a layered defense strategy, also known as defense in depth, developed by an organization.
正如您所看到的，我们不仅仅是在查看系统访问。我们正在查看所有访问权限，包括建筑物访问权限、服务器机房访问权限、网络访问权限、应用程序和公用事业访问权限。这些都是访问控制的实现，是组织开发的分层防御策略（也称为深度防御）的一部分。

Defense in depth describes an information security strategy that integrates people, technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization. It applies multiple countermeasures in a layered fashion to fulfill security objectives. Defense in depth should be implemented to prevent or deter a cyberattack, but it cannot guarantee that an attack will not occur.
深度防御描述了一种信息安全战略，该战略整合了人员、技术和运营能力，以在组织的多个层次和任务之间建立可变的屏障。它以分层的方式应用多种对策来实现安全目标。应该实施深度防御以防止或阻止网络攻击，但它不能保证攻击不会发生。

A technical example of defense in depth, in which multiple layers of technical controls are implemented, is when a username and password are required for logging in to your account, followed by a code sent to your phone to verify your identity. This is a form of multi-factor authentication using methods on two layers, something you have and something you know. The combination of the two layers is much more difficult for an adversary to obtain than either of the authentication codes individually.
深度防御的一个技术示例是，当登录您的帐户时，需要用户名和密码，然后发送到您的手机以验证您的身份的代码。这是一种使用两层方法的多因素身份验证的形式，一种是您拥有的，另一种是您知道的。对于对手来说，两层的组合比单独地获得认证码中的任一个更难。

Another example of multiple technical layers is when additional firewalls are used to separate untrusted networks with differing security requirements, such as the internet from trusted networks that house servers with sensitive data in the organization. When a company has information at multiple sensitivity levels, it might require the network traffic to be validated by rules on more than one firewall, with the most sensitive information being stored behind multiple firewalls.

多个技术层的另一个示例是当使用额外的防火墙来将具有不同安全要求的不可信网络（诸如互联网）与容纳组织中具有敏感数据的服务器的可信网络分离时。当一家公司拥有多个敏感级别的信息时，它可能需要通过多个防火墙上的规则来验证网络流量，其中最敏感的信息存储在多个防火墙之后。

For a non-technical example, consider the multiple layers of access required to get to the actual data in a data center. First, a lock on the door provides a physical barrier to access the data storage devices. Second, a technical access rule prevents access to the data via the network. Finally, a policy, or administrative control defines the rules that assign access to authorized individuals.
举一个非技术示例，考虑访问数据中心中的实际数据所需的多层访问。首先，门上的锁提供了访问数据存储设备的物理屏障。第二，技术访问规则阻止通过网络访问数据。最后，策略或管理控制定义了将访问权限分配给授权的个人的规则。

旁白: 一个数据中心可能有多层防御。我们会有行政控制，例如政策和程序。然后是逻辑或技术控制，包括限制访问的编程。还有一些物理控制，在我们高度技术化的世界中，我们有时会忘记这些控制。无论我们多么关注云计算和虚拟化，在物理计算机的物理硬盘驱动器中始终存在一个物理位置，用于存储或处理信息。例如，即使在提供云计算服务的大型组织的数据中心中，仍然存在信息存储和处理的物理方面。

Principle of Least Privilege 最小特权原则

The Principle of Least Privilege is a standard of permitting only minimum access necessary for users or programs to fulfill their function. Users are provided access only to the systems and programs they need to perform their specific job or tasks.
最小特权原则是一种只允许用户或程序完成其功能所必需的最小访问权限的标准。用户仅被提供对他们执行特定工作或任务所需的系统和程序的访问。

To preserve the confidentiality of information and ensure that it is only available to personnel who are authorized to see it, we use privileged access management, which is based on the principle of least privilege. That means each user is granted access only to the items they need and nothing further.
为了保护信息的机密性，并确保只有获得授权的人员才能访问信息，我们采用基于最小特权原则的特权访问管理。这意味着每个用户只被授予对他们需要的项目的访问权限，没有其他权限。

For example, only individuals working in billing will be allowed to view consumer financial data, and even fewer individuals will have the authority to change or delete that data. This maintains confidentiality and integrity while also allowing availability by providing administrative access with an appropriate password or sign-on that proves the user has the appropriate permissions to access that data.
例如，只有在计费部门工作的个人才可以查看消费者财务数据，甚至更少的个人将有权更改或删除这些数据。这样可以保持机密性和完整性，同时还可以通过提供管理访问权限，并提供适当的密码或登录，证明用户具有访问该数据的适当权限。

Sometimes it is necessary to allow users to access the information via a temporary or limited access, for instance, for a specific time period or just within normal business hours. Or access rules can limit the fields that the individuals can have access to. One example is a healthcare environment. Some workers might have access to patient data but not their medical data. Individual doctors might have access only to data related to their own patients. In some cases, this is regulated by law, such as HIPAA in the United States, and by specific privacy laws in other countries.
有时，有必要允许用户通过临时或有限的访问访问来访问信息，例如，在特定的时间段内或仅在正常的营业时间内。或者访问规则可以限制个人可以访问的字段。一个例子是医疗环境。一些工作人员可能有权访问患者数据，但不能访问他们的医疗数据。个别医生可能只能访问与自己患者相关的数据。在某些情况下，这是由法律规定的，例如美国的HIPAA，以及其他国家的特定隐私法。

Systems often monitor access to private information, and if logs indicate that someone has attempted to access a database without the proper permissions, that will automatically trigger an alarm. The security administrator will then record the incident and alert the appropriate people to take action.
系统通常监视对私人信息的访问，如果日志表明有人试图在没有适当权限的情况下访问数据库，则会自动触发警报。然后，安全管理员将记录该事件并提醒相关人员采取行动。

The more critical information a person has access to, the greater the security should be around that access. They should definitely have multi-factor authentication, for instance.
一个人访问的关键信息越多，访问的安全性就越高。例如，他们肯定应该具有多因素身份验证。

Privileged Access Management 特权访问管理

Privileged access management provides the first and perhaps most familiar use case. Consider a human user identity that is granted various create, read, update, and delete privileges on a database. Without privileged access management, the system’s access control would have those privileges assigned to the administrative user in a static way, effectively “on” 24 hours a day, every day. Security would be dependent upon the login process to prevent misuse of that identity. Just-in-time privileged access management, by contrast, includes role-based specific subsets of privileges that only become active in real time when the identity is requesting the use of a resource or service.
特权访问管理提供了第一个也可能是最熟悉的用例。考虑一个人类用户标识，它被授予了对数据库的各种创建、读取、更新和删除权限。如果没有特权访问管理，系统的访问控制将以静态方式将那些特权分配给管理用户，实际上每天24小时“开启”。安全性将取决于登录过程，以防止滥用该身份。相比之下，即时特权访问管理包括基于角色的特权的特定子集，其仅在身份请求使用资源或服务时才真实的变为活动。

Consider this scenario explaining why privileged access management is important:
考虑以下场景，解释为什么特权访问管理很重要：

ABC, Inc., has a small IT department that is responsible for user provisioning and administering systems. To save time, the IT department employees added their IDs to the Domain Admins group, effectively giving them access to everything within the Windows server and workstation environment. While reviewing an invoice that was received via email, they opened an email that had a malicious attachment that initiated a ransomware attack. Since they are using Domain Admin privileges, the ransomware was able to encrypt all the files on all servers and workstations. A privileged access management solution could limit the damage done by this ransomware if the administrator privileges are only used when performing a function requiring that level of access. Routine operations, such as daily email tasks, are done without a higher level of access.
ABC公司，拥有一个小型IT部门，负责用户配置和管理系统。为了保存时间，IT部门的员工将他们的ID添加到Domain Admins组，从而有效地使他们能够访问Windows服务器和工作站环境中的所有内容。在查看通过电子邮件收到的发票时，他们打开了一封带有恶意附件的电子邮件，该附件发起了勒索软件攻击。由于他们使用域管理员权限，勒索软件能够加密所有服务器和工作站上的所有文件。如果管理员权限仅在执行需要该级别访问权限的功能时使用，则特权访问管理解决方案可以限制此勒索软件造成的损害。日常操作（如日常电子邮件任务）在没有更高级别的访问权限的情况下完成。

Privileged Accounts 特权帐户

Privileged accounts are those with permissions beyond those of normal users, such as managers and administrators.
特权帐户是指那些权限超出正常用户权限的帐户，如管理员和管理员。

Broadly speaking, these accounts have elevated privileges and are used by many different classes of users, including:
一般来说，这些帐户具有提升的权限，并由许多不同类别的用户使用，包括：

• Systems administrators, who have the principal responsibilities for operating systems, applications deployment and performance management.
  系统管理员，主要负责操作系统、应用程序部署和性能管理。
• Help desk or IT support staff, who often need to view or manipulate endpoints, servers and applications platforms by using privileged or restricted operations.
  帮助台或IT支持人员，他们经常需要使用特权或受限操作查看或操作端点、服务器和应用程序平台。
• Security analysts, who may require rapid access to the entire IT infrastructure, systems, endpoints and data environment of the organization.
  安全分析师，他们可能需要快速访问组织的整个IT基础架构、系统、端点和数据环境。

Other classes of privileged user accounts may be created on a per-client or per-project basis, to allow a member of that project or client service team to have greater control over data and applications.
其他类别的特权用户帐户可以在每个客户或每个项目的基础上创建，以允许该项目或客户服务团队的成员对数据和应用具有更大的控制。

Segregation of Duties 职责分离

A core element of authorization is the principle of segregation of duties (also known as separation of duties). Segregation of duties is based on the security practice that no one person should control an entire high-risk transaction from start to finish. Segregation of duties breaks the transaction into separate parts and requires a different person to execute each part of the transaction. For example, an employee may submit an invoice for payment to a vendor (or for reimbursement to themselves), but it must be approved by a manager prior to payment; in another instance, almost anyone may submit a proposal for a change to a system configuration, but the request must go through technical and management review and gain approval, before it can be implemented.
授权的一个核心要素是职责分离原则（也称为职责分离）。职责分离基于安全实践，即没有人应该从头到尾控制整个高风险交易。职责分离将事务分解为单独的部分，并要求不同的人执行事务的每个部分。例如，员工可以提交发票向供应商付款（或报销给自己），但在付款前必须得到经理的批准;在另一种情况下，几乎任何人都可以提出更改系统配置的建议，但该请求必须经过技术和管理审查并获得批准，才能实施。

These steps can prevent fraud or detect an error in the process before implementation. It could be that the same employee might be authorized to originally submit invoices regarding one set of activities, but not approve them, and yet also have approval authority but not the right to submit invoices on another. It is possible, of course, that two individuals can willfully work together to bypass the segregation of duties, so that they could jointly commit fraud. This is called collusion.
这些步骤可以防止欺诈或在实施之前检测过程中的错误。可能的情况是，同一个雇员可能被授权最初提交关于一组活动的发票，但不批准它们，并且还具有批准权限，但无权提交关于另一组活动的发票。当然，有可能两个人故意一起工作，绕过职责分离，从而共同实施欺诈。这就是所谓的共谋。

Another implementation of segregation of duties is dual control. This would apply at a bank where there are two separate combination locks on the door of the vault. Some personnel know one of the combinations and some know the other, but no one person knows both combinations. Two people must work together to open the vault; thus, the vault is under dual control.
职责分离的另一种实施方式是双重控制。这将适用于金库门上有两个单独的组合锁的银行。一些人员知道其中一个组合，一些人知道另一个，但没有一个人知道这两个组合。必须两个人合力才能打开金库;因此，保险库处于双重控制之下。

Two-Person Integrity

The two-person rule is a security strategy that requires a minimum of two people to be in an area together, making it impossible for a person to be in the area alone. Many access control systems prevent an individual cardholder from entering a selected high-security area unless accompanied by at least one other person. Use of the two-person rule can help reduce insider threats to critical areas by requiring at least two individuals to be present at any time. It is also used for life safety within a security area; if one person has a medical emergency, there will be assistance present.
两人规则是一种安全策略，它要求至少有两个人在一个区域内，这样一个人就不可能单独在该区域内。许多访问控制系统防止单个持卡人进入所选择的高安全区域，除非由至少一个其他人陪同。使用两人规则可以通过要求在任何时候至少有两个人在场来帮助减少对关键区域的内部威胁。它也用于安全区域内的生命安全;如果一个人有医疗紧急情况，将有援助在场。

Authorized Versus Unauthorized Personnel 授权人员与未经授权人员

Subjects are authorized access to objects after they have been authenticated. Remember from earlier sections that authentication is confirming the identity of the subject. Once a subject has been authenticated, the system checks its authorization to see if it is allowed to complete the action it is attempting. This is usually done via a security matrix accessed by the system controlling the access, based on pre-approved levels. For example, when a person presents an ID badge to the data center door, the system checks the ID number, compares that to a security matrix within the system, and unlocks the door if the ID is authorized. If the ID is not authorized to unlock the door, it will remain locked. In another example, a user attempts to delete a file. The file system checks the permissions to see if the user is authorized to delete the file. If the user is authorized, the file is deleted. If the user is not authorized, an error message is displayed, and the file is left untouched.
主体在被认证之后被授权访问对象。请记住，在前面的章节中，身份验证是确认主体的身份。一旦主体通过身份验证，系统将检查其授权，以查看是否允许其完成正在尝试的操作。这通常通过由控制访问的系统访问的安全矩阵基于预先批准的级别来完成。例如，当某人向数据中心门出示ID徽章时，系统检查ID号，将其与系统内的安全矩阵进行比较，并且如果ID被授权则解锁门。如果ID未被授权解锁车门，则车门将保持锁定状态。在另一示例中，用户尝试删除文件。文件系统检查权限以查看用户是否有权删除文件。如果用户已被授权，则文件将被删除。如果用户未经授权，则会显示一条错误消息，文件将保持不变。

how Users Are Provisioned 如何配置用户

Other situations that call for provisioning new user accounts or changing privileges include:
需要配置新用户帐户或更改权限的其他情况包括：

• A new employee—When a new employee is hired, the hiring manager sends a request to the security administrator to create a new user ID. This request authorizes creation of the new ID and provides instructions on appropriate access levels. Additional authorization may be required by company policy for elevated permissions.
  新员工-雇用新员工时，招聘经理会向安全管理员发送创建新用户ID的请求。此请求授权创建新ID并提供有关适当访问级别的说明。公司策略可能需要其他授权才能获得提升的权限。
• Change of position—When an employee has been promoted, their permissions and access rights might change as defined by the new role, which will dictate any added privileges and updates to access. At the same time, any access that is no longer needed in the new job will be removed.
  职位变更-员工晋升后，其权限和访问权限可能会根据新角色的定义而发生变更，这将决定任何添加的权限和访问更新。同时，将删除新作业中不再需要的任何访问权限。
• Separation of employment—When employees leave the company, depending on company policy and procedures, their accounts must be disabled after the termination date and time. It is recommended that accounts be disabled for a period before they are deleted to preserve the integrity of any audit trails or files that may be owned by the user. Since the account will no longer be used, it should be removed from any security roles or additional access profiles. This protects the company, so the separated employee is unable to access company data after separation, and it also protects them because their account cannot be used by others to access data.
  离职-当员工离开公司时，根据公司政策和程序，他们的帐户必须在终止日期和时间后禁用。建议在删除帐户之前禁用帐户一段时间，以保持用户可能拥有的任何审核跟踪或文件的完整性。由于该帐户将不再使用，因此应将其从任何安全角色或其他访问配置文件中删除。这保护了公司，因此离职的员工在离职后无法访问公司数据，而且也保护了他们，因为他们的帐户不能被其他人用来访问数据。

NOTE: Upon hiring or changing roles, a best practice is to not copy user profiles to new users, because this promotes “permission or privilege creep.” For example, if an employee is given additional access to complete a task and that access is not removed when the task is completed, and then that user’s profile is copied to create a new user ID, the new ID is created with more permissions than are needed to complete their functions. It is recommended that standard roles are established, and new users are created based on those standards rather than an actual user.
注意：在雇用或更改角色时，最佳实践是不要将用户配置文件复制给新用户，因为这会促进“权限或特权蔓延”。例如，如果为员工提供了额外的访问权限以完成任务，并且在任务完成时未删除该访问权限，然后复制该用户的配置文件以创建新的用户ID，则创建的新ID具有比完成其职能所需的权限更多的权限。建议建立标准角色，并根据这些标准而不是实际用户创建新用户。

哪个角色将获得常规帐户权限？（选择所有适用的选项。）

Part-time Employee 兼职员工

Remote Employee 远程员工

Chief Information Security Officer
首席信息安全官

Network Admin 网络管理员

System Admin 系统管理员

Full-time Employee 全职员工

Temporary Employee 临时雇员

Manager/Team Lead 经理/团队负责人

A Privileged User Account: (Select all that would apply.)
特权用户帐户：（选择所有适用的选项。）

Has access to interact directly with servers and other infrastructure devices.
可以直接与服务器和其他基础设施设备交互。

This option is incorrect. Has access to log on only to authorized workstations.
只能登录到授权的工作站。

This option is incorrect. Is most likely to have read-only access to a database.
最有可能对数据库具有只读访问权限。

This option is incorrect. Has access levels that are typically needed for daily business operations.
具有日常业务操作通常需要的访问级别。

This option is incorrect. Has the lowest level of logging associated with actions.
具有与操作关联的最低级别日志记录。

Should require the use of MFA.
需要使用MFA。

Uses the most stringent access control.
使用最严格的访问控制。

Has the highest level of logging associated with actions.
具有与操作关联的最高级别日志记录。

Often has the ability to create users and assign permissions.
通常具有创建用户和分配权限的能力。

模块 2：了解物理访问控制 (D3.1)

Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include security guards, fences, motion detectors, locked doors/gates, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, cameras, mantraps/turnstiles, and alarms.
物理访问控制是指您可以物理触摸的项目。它们包括部署用于防止、监测或检测与设施内的系统或区域的直接接触的物理机制。物理访问控制的示例包括保安、围栏、运动检测器、上锁的门/大门、密封的窗户、灯、电缆保护、膝上型电脑锁、徽章、刷卡、看门狗、摄像机、人闸/旋转栅门和警报器。

Physical access controls are necessary to protect the assets of a company, including its most important asset, people. When considering physical access controls, the security of the personnel always comes first, followed by securing other physical assets.
物理访问控制对于保护公司资产（包括其最重要的资产人员）是必要的。在考虑物理访问控制时，人员的安全始终是第一位的，其次是其他物理资产的安全。

Physical access controls include fences, barriers, turnstiles, locks and other features that prevent unauthorized individuals from entering a physical site, such as a workplace. This is to protect not only physical assets such as computers from being stolen, but also to protect the health and safety of the personnel inside.
物理访问控制包括栅栏、屏障、旋转栅门、锁和防止未经授权的个人进入物理场所（诸如工作场所）的其他特征。这不仅是为了保护计算机等实物资产不被窃取，也是为了保护里面人员的健康和安全。

Types of Physical Access Controls 物理访问控制的类型

Many types of physical access control mechanisms can be deployed in an environment to control, monitor and manage access to a facility. These range from deterrents to detection mechanisms. Each area requires unique and focused physical access controls, monitoring and prevention mechanisms. The following sections discuss many such mechanisms that may be used to control access to various areas of a site, including perimeter and internal security.
可以在环境中部署许多类型的物理访问控制机制以控制、监视和管理对设施的访问。这些措施从威慑到侦查机制都有。每个领域都需要独特和有重点的物理出入控制、监测和预防机制。以下各节讨论了许多可用于控制对站点各个区域的访问的机制，包括周边和内部安全。

Badge Systems and Gate Entry 徽章系统和大门入口

Physical security controls for human traffic are often done with technologies such as turnstiles, mantraps and remotely or system-controlled door locks. For the system to identify an authorized employee, an access control system needs to have some form of enrollment station used to assign and activate an access control device. Most often, a badge is produced and issued with the employee’s identifiers, with the enrollment station giving the employee specific areas that will be accessible. In high-security environments, enrollment may also include biometric characteristics. In general, an access control system compares an individual’s badge against a verified database. If authenticated, the access control system sends output signals allowing authorized personnel to pass through a gate or a door to a controlled area. The systems are typically integrated with the organization’s logging systems to document access activity (authorized and unauthorized)
人类交通的物理安全控制通常是通过旋转栅门、人闸和远程或系统控制的门锁等技术来完成的。对于识别授权雇员的系统，访问控制系统需要具有用于分配和激活访问控制设备的某种形式的登记站。大多数情况下，徽章被制作并发放有员工的标识符，注册站给予员工将可访问的特定区域。在高安全性环境中，登记还可以包括生物特征。通常，访问控制系统将个人的徽章与经验证的数据库进行比较。如果认证，则访问控制系统发送输出信号，允许授权人员通过门或门到达受控区域。这些系统通常与组织的日志系统集成，以记录访问活动（授权和未授权）

A range of card types allow the system to be used in a variety of environments. These cards include:
一系列卡类型允许系统在各种环境中使用。这些卡片包括：

• Bar code 条码
• Magnetic stripe 磁条
• Proximity 接近
• Smart 聪明
• Hybrid 混合动力

Environmental Design 环境设计

Crime Prevention through Environmental Design (CPTED) approaches the challenge of creating safer workspaces through passive design elements. This has great applicability for the information security community as security professionals design, operate and assess the organizational security environment. Other practices, such as standards for building construction and data centers, also affect how we implement controls over our physical environment. Security professionals should be familiar with these concepts so they can successfully advocate for functional and effective physical spaces where information is going to be created, processed and stored.
通过环境设计预防犯罪（CPTED）通过被动设计元素来应对创造更安全的工作空间的挑战。这对于信息安全社区具有很大的适用性，因为安全专业人员设计、操作和评估组织安全环境。其他实践，如建筑施工和数据中心的标准，也会影响我们对物理环境实施控制的方式。安全专业人员应该熟悉这些概念，这样他们就可以成功地倡导创建、处理和存储信息的功能和有效的物理空间。

CPTED provides direction to solve the challenges of crime with organizational (people), mechanical (technology and hardware) and natural design (architectural and circulation flow) methods. By directing the flow of people, using passive techniques to signal who should and should not be in a space and providing visibility to otherwise hidden spaces, the likelihood that someone will commit a crime in that area decreases.
CPTED提供了解决犯罪挑战的组织（人），机械（技术和硬件）和自然设计（建筑和流通流）方法的方向。通过引导人流，使用被动技术来指示谁应该和不应该在一个空间，并提供对其他隐藏空间的可见性，有人在该区域犯罪的可能性降低。

Biometrics 生物识别

To authenticate a user’s identity, biometrics uses characteristics unique to the individual seeking access. A biometric authentication solution entails two processes.
为了验证用户的身份，生物识别技术使用寻求访问的个人特有的特征。生物特征认证解决方案需要两个过程。

• Enrollment—during the enrollment process, the user’s registered biometric code is either stored in a system or on a smart card that is kept by the user.
  注册-在注册过程中，用户注册的生物识别码要么存储在系统中，要么存储在由用户保存的智能卡上。
• Verification—during the verification process, the user presents their biometric data to the system so that the biometric data can be compared with the stored biometric code.
  验证-在验证过程中，用户向系统呈现他们的生物特征数据，以便生物特征数据可以与存储的生物特征代码进行比较。

Even though the biometric data may not be secret, it is personally identifiable information, and the protocol should not reveal it without the user’s consent. Biometrics takes two primary forms, physiological and behavioral.
尽管生物特征数据可能不是秘密的，但它是个人可识别的信息，协议不应该在没有用户同意的情况下泄露它。生物识别有两种主要形式，生理和行为。

Physiological systems measure the characteristics of a person such as a fingerprint, iris scan (the colored portion around the outside of the pupil in the eye), retinal scan (the pattern of blood vessels in the back of the eye), palm scan and venous scans that look for the flow of blood through the veins in the palm. Some biometrics devices combine processes together—such as checking for pulse and temperature on a fingerprint scanner—to detect counterfeiting.
生理系统测量人的特征，诸如指纹、虹膜扫描（眼睛瞳孔外侧周围的有色部分）、视网膜扫描（眼睛后部的血管图案）、手掌扫描和静脉扫描，其寻找通过手掌静脉的血液流动。一些生物识别设备将过程结合在一起，例如在指纹扫描仪上检查脉搏和温度来检测伪造。

Behavioral systems measure how a person acts by measuring voiceprints, signature dynamics and keystroke dynamics. As a person types, a keystroke dynamics system measures behavior such as the delay rate (how long a person holds down a key) and transfer rate (how rapidly a person moves between keys).
行为系统通过测量声纹、签名动态和击键动态来测量一个人的行为。当一个人打字时，击键动力学系统测量诸如延迟率（一个人按住一个键的时间）和传输率（一个人在键之间移动的速度）的行为。

Biometric systems are considered highly accurate, but they can be expensive to implement and maintain because of the cost of purchasing equipment and registering all users. Users may also be uncomfortable with the use of biometrics, considering them to be an invasion of privacy or presenting a risk of disclosure of medical information (since retina scans can disclose medical conditions). A further drawback is the challenge of sanitization of the devices.
生物识别系统被认为是高度精确的，但由于购买设备和注册所有用户的成本，它们的实施和维护可能是昂贵的。用户还可能对生物识别的使用感到不舒服，认为它们侵犯了隐私或存在泄露医疗信息的风险（因为视网膜扫描可以泄露医疗状况）。另一个缺点是设备的消毒的挑战。

Monitoring 监测

The use of physical access controls and monitoring personnel and equipment entering and leaving as well as auditing/logging all physical events are primary elements in maintaining overall organizational security.
使用实际出入控制、监测进出人员和设备以及审计/记录所有实际事件是维护整个组织安全的主要因素。

Cameras 摄像机

Cameras are normally integrated into the overall security program and centrally monitored. Cameras provide a flexible method of surveillance and monitoring. They can be a deterrent to criminal activity, can detect activities if combined with other sensors and, if recorded, can provide evidence after the activity They are often used in locations where access is difficult or there is a need for a forensic record.
摄像头通常被集成到整个安全程序中，并被集中监控。摄像机提供了一种灵活的监视和监控方法。它们可以对犯罪活动起到威慑作用，如果与其他传感器结合使用，可以检测活动，如果记录下来，可以在活动后提供证据。

While cameras provide one tool for monitoring the external perimeter of facilities, other technologies augment their detection capabilities. A variety of motion sensor technologies can be effective in exterior locations. These include infrared, microwave and lasers trained on tuned receivers. Other sensors can be integrated into doors, gates and turnstiles, and strain-sensitive cables and other vibration sensors can detect if someone attempts to scale a fence. Proper integration of exterior or perimeter sensors will alert an organization to any intruders attempting to gain access across open space or attempting to breach the fence line.
虽然摄像机提供了监测设施外部周边的一种工具，但其他技术增强了其检测能力。各种运动传感器技术在外部位置中可以是有效的。这些包括红外线、微波和激光器，在调谐接收器上训练。其他传感器可以集成到门、大门和旋转栅门中，应变敏感电缆和其他振动传感器可以检测到是否有人试图攀爬围栏。外部或周边传感器的适当集成将警告组织任何试图进入开放空间或试图突破围栏线的入侵者。

Logs 日志

In this section, we are concentrating on the use of physical logs, such as a sign-in sheet maintained by a security guard, or even a log created by an electronic system that manages physical access. Electronic systems that capture system and security logs within software will be covered in another section.
在本节中，我们将集中讨论物理日志的使用，例如由保安人员维护的登录表，甚至是由管理物理访问的电子系统创建的日志。另一节将介绍捕获软件中的系统和安全日志的电子系统。

A log is a record of events that have occurred. Physical security logs are essential to support business requirements. They should capture and retain information as long as necessary for legal or business reasons. Because logs may be needed to prove compliance with regulations and assist in a forensic investigation, the logs must be protected from manipulation. Logs may also contain sensitive data about customers or users and should be protected from unauthorized disclosure.
日志是已发生事件的记录。物理安全日志对于支持业务需求至关重要。他们应该在法律的或商业原因必要时捕获和保留信息。由于日志可能需要证明遵守法规并协助法医调查，因此日志必须受到保护，以免被篡改。日志还可能包含有关客户或用户的敏感数据，应保护其免受未经授权的泄露。

The organization should have a policy to review logs regularly as part of their organization’s security program. As part of the organization’s log processes, guidelines for log retention must be established and followed. If the organizational policy states to retain standard log files for only six months, that is all the organization should have.
组织应该制定一个策略，定期检查日志，作为组织安全计划的一部分。作为组织日志流程的一部分，必须建立并遵循日志保留的指导方针。如果组织策略规定只保留标准日志文件六个月，那么组织就应该拥有这一点。

A log anomaly is anything out of the ordinary. Identifying log anomalies is often the first step in identifying security-related issues, both during an audit and during routine monitoring. Some anomalies will be glaringly obvious: for example, gaps in date/time stamps or account lockouts. Others will be harder to detect, such as someone trying to write data to a protected directory. Although it may seem that logging everything so you would not miss any important data is the best approach, most organizations would soon drown under the amount of data collected.
日志异常是任何不寻常的事情。识别日志异常通常是识别安全相关问题的第一步，无论是在审计期间还是在例行监视期间。一些异常现象将是显而易见的：例如日期/时间戳中的间隙或帐户锁定。其他人则更难检测到，例如有人试图将数据写入受保护的目录。虽然看起来记录所有内容，这样您就不会错过任何重要数据是最好的方法，但大多数组织很快就会淹没在收集的数据量之下。

Business and legal requirements for log retention will vary among economies, countries and industries. Some businesses will have no requirements for data retention. Others are mandated by the nature of their business or by business partners to comply with certain retention data. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that businesses retain one year of log data in support of PCI. Some federal regulations include requirements for data retention as well.
对日志保留的商业和法律的要求因经济体、国家和行业而异。有些企业对数据保留没有要求。其他公司则根据其业务性质或业务合作伙伴的要求遵守某些保留数据。例如，支付卡行业数据安全标准（PCI DSS）要求企业保留一年的日志数据以支持PCI。一些联邦法规也包括数据保留的要求。

If a business has no business or legal requirements to retain log data, how long should the organization keep it? The first people to ask should be the legal department. Most legal departments have very specific guidelines for data retention, and those guidelines may drive the log retention policy.
如果企业没有保留日志数据的业务或法律的要求，那么组织应该保留多长时间？首先要问的应该是法律的部门。大多数法律的部门都有非常具体的数据保留指导方针，这些指导方针可能会推动日志保留策略。

Security Guards 保安人员

Security guards are an effective physical security control. No matter what form of physical access control is used, a security guard or other monitoring system will discourage a person from masquerading as someone else or following closely on the heels of another to gain access. This helps prevent theft and abuse of equipment or information.
保安是一种有效的物理安全控制。无论使用何种形式的物理访问控制，安全警卫或其他监控系统都将阻止一个人伪装成其他人或紧跟在另一个人的后面以获得访问。这有助于防止盗窃和滥用设备或信息。

Alarm Systems 报警系统

Alarm systems are commonly found on doors and windows in homes and office buildings. In their simplest form, they are designed to alert the appropriate personnel when a door or window is opened unexpectedly.
报警系统通常在家庭和办公楼的门和窗上找到。在最简单的形式中，它们被设计成在门或窗意外打开时向相关人员发出警报。

For example, an employee may enter a code and/or swipe a badge to open a door, and that action would not trigger an alarm. Alternatively, if that same door was opened by brute force without someone entering the correct code or using an authorized badge, an alarm would be activated.
例如，员工可以输入代码和/或刷徽章以打开门，并且该动作不会触发警报。或者，如果同一扇门在没有人输入正确的代码或使用授权徽章的情况下被蛮力打开，则警报将被激活。

Another alarm system is a fire alarm, which may be activated by heat or smoke at a sensor and will likely sound an audible warning to protect human lives in the vicinity. It will likely also contact local response personnel as well as the closest fire department.
另一个报警系统是火灾报警器，其可以由传感器处的热量或烟雾激活，并且将可能发出可听警告以保护附近的人的生命。它还可能联系当地响应人员以及最近的消防部门。

Finally, another common type of alarm system is in the form of a panic button. Once activated, a panic button will alert the appropriate police or security personnel.
最后，另一种常见类型的报警系统是应急按钮的形式。一旦激活，紧急按钮将向相应的警察或安全人员发出警报。

模块 3：了解逻辑访问控制 (D3.2)

Whereas physical access controls are tangible methods or mechanisms that limit someone from getting access to an area or asset, logical access controls are electronic methods that limit someone from getting access to systems, and sometimes even to tangible assets or areas. Types of logical access controls include:
物理访问控制是限制某人访问区域或资产的有形方法或机制，逻辑访问控制是限制某人访问系统，有时甚至访问有形资产或区域的电子方法。逻辑访问控制的类型包括：

• Passwords 密码
• Biometrics (implemented on a system, such as a smartphone or laptop)
  生物识别（在智能手机或笔记本电脑等系统上实现）
• Badge/token readers connected to a system
  连接到系统的徽章/令牌读取器

These types of electronic tools limit who can get logical access to an asset, even if the person already has physical access.
这些类型的电子工具限制了谁可以获得对资产的逻辑访问，即使该人已经具有物理访问权限。

Discretionary Access Control (DAC) 自由访问控制（DAC）

Discretionary access control (DAC) is a specific type of access control policy that is enforced over all subjects and objects in an information system. In DAC, the policy specifies that a subject who has been granted access to information can do one or more of the following:
自由访问控制（DAC）是一种特定类型的访问控制策略，它对信息系统中的所有主体和对象实施。在DAC中，策略指定已被授予信息访问权限的受试者可以执行以下一项或多项操作：

• Pass the information to other subjects or objects
  将信息传递给其他主体或对象
• Grant its privileges to other subjects
  将其特权授予其他主体
• Change security attributes on subjects, objects, information systems or system components
  更改主题、对象、信息系统或系统组件上的安全属性
• Choose the security attributes to be associated with newly created or revised objects; and/or
  选择要与新创建或修订对象关联的安全属性;和/或
• Change the rules governing access control; mandatory access controls restrict this capability
  更改访问控制规则;强制访问控制限制了此功能

Most information systems in the world are DAC systems. In a DAC system, a user who has access to a file is usually able to share that file with or pass it to someone else. This grants the user almost the same level of access as the original owner of the file. Rule-based access control systems are usually a form of DAC.
世界上大多数信息系统都是DAC系统。在DAC系统中，有权访问文件的用户通常能够与其他人共享该文件或将其传递给其他人。这将赠款用户与文件的原始所有者几乎相同级别的访问权限。基于规则的访问控制系统通常是DAC的一种形式。

DAC Example DAC示例

Discretionary access control systems allow users to establish or change these permissions on files they create or otherwise have ownership of.
自由访问控制系统允许用户建立或更改他们创建的或以其他方式拥有所有权的文件的这些权限。

Steve and Aidan, for example, are two users (subjects) in a UNIX environment operating with DAC in place. Typically, systems will create and maintain a table that maps subjects to objects, as shown in the image. At each intersection is the set of permissions that a given subject has for a specific object. Many operating systems, such as Windows and the whole Unix family tree (including Linux) and iOS, use this type of data structure to make fast, accurate decisions about authorizing or denying an access request. Note that this data can be viewed as either rows or columns:
例如，Steve和Aidan是UNIX环境中使用DAC操作的两个用户（主体）。通常，系统将创建并维护将主体映射到对象的表格，如图所示。在每个交集处是给定主体对特定对象的权限集。许多操作系统，如Windows和整个Unix家族树（包括Linux）和iOS，都使用这种类型的数据结构来快速、准确地决定授权或拒绝访问请求。请注意，此数据可以被视为行或列：

• An object’s access control list shows the total set of subjects who have any permissions at all for that specific object.
  对象的访问控制列表显示了对该特定对象具有任何权限的主体的总集合。
• A subject’s capabilities list shows each object in the system that said subject has any permissions for.
  主体的能力列表显示系统中所述主体具有任何权限的每个对象。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9uriqdOe-1692675402273)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230822111559276.png)]

This methodology relies on the discretion of the owner of the access control object to determine the access control subject’s specific rights. Hence, security of the object is literally up to the discretion of the object owner. DACs are not very scalable; they rely on the access control decisions made by each individual object owner, and it can be difficult to find the source of access control issues when problems occur.
该方法依赖于访问控制对象的所有者的自由裁量权来确定访问控制主体的特定权限。因此，对象的安全性实际上取决于对象所有者的自由裁量权。DAC的可扩展性不强;它们依赖于由每个单独的对象所有者做出的访问控制决策，并且当问题发生时可能难以找到访问控制问题的根源。

DAC in the Workplace

Most information systems are DAC systems. In a DAC system, a user who has access to a file is able to share that file with or pass it to someone else. It is at the discretion of the asset owner whether to grant or revoke access for a user. For access to computer files, this can be shared file or password protections. For example, if you create a file in an online file sharing platform you can restrict who sees it. That is up to your discretion. Or it may be something low-tech and temporary, such as a visitor’s badge provided at the discretion of the worker at the security desk.
大多数信息系统都是DAC系统。在DAC系统中，有权访问文件的用户能够与其他人共享该文件或将其传递给其他人。资产所有者决定是否授予或撤销用户的访问权。对于访问计算机文件，这可以是共享文件或密码保护。例如，如果您在在线文件共享平台中创建文件，则可以限制查看该文件的人。这取决于你的判断。或者它可能是一些技术含量低的临时性的东西，比如由保安台的工作人员酌情提供的访客徽章。

Mandatory Access Control (MAC) 强制访问控制（MAC）

A mandatory access control (MAC) policy is one that is uniformly enforced across all subjects and objects within the boundary of an information system. In simplest terms, this means that only properly designated security administrators, as trusted subjects, can modify any of the security rules that are established for subjects and objects within the system. This also means that for all subjects defined by the organization (that is, known to its integrated identity management and access control system), the organization assigns a subset of total privileges for a subset of objects, such that the subject is constrained from doing any of the following:
强制访问控制（MAC）策略是在信息系统边界内的所有主体和对象上统一实施的策略。简单地说，这意味着只有适当指定的安全管理员（作为受信任的主体）才能修改为系统内的主体和对象建立的任何安全规则。这也意味着对于组织定义的所有主体（即，其集成身份管理和访问控制系统已知的），组织为对象的子集分配总特权的子集，使得主体被约束不能执行以下任何操作：

• Passing the information to unauthorized subjects or objects
  将信息传递给未经授权的主体或对象
• Granting its privileges to other subjects
  将其特权授予其他臣民
• Changing one or more security attributes on subjects, objects, the information system or system components
  更改主体、对象、信息系统或系统组件上的一个或多个安全属性
• Choosing the security attributes to be associated with newly created or modified objects
  选择要与新创建或修改的对象关联的安全属性
• Changing the rules governing access control
  更改访问控制规则

Although MAC sounds very similar to DAC, the primary difference is who can control access. With Mandatory Access Control, it is mandatory for security administrators to assign access rights or permissions; with Discretionary Access Control, it is up to the object owner’s discretion.
虽然MAC听起来与DAC非常相似，但主要区别在于谁可以控制访问。使用强制访问控制，强制安全管理员分配访问权限或权限;使用自由访问控制，这取决于对象所有者的判断。

MAC in the Workplace 工作场所中的MAC

Mandatory access control is also determined by the owner of the assets, but on a more across-the-board basis, with little individual decision-making about who gets access.
强制访问控制也是由资产所有者决定的，但在更全面的基础上，很少有个人决定谁可以访问。

For example, at certain government agencies, personnel must have a certain type of security clearance to get access to certain areas. In general, this level of access is set by government policy and not by an individual giving permission based on their own judgment.
例如，在某些政府机构，人员必须具有某种类型的安全许可才能进入某些区域。一般来说，这种访问级别由政府政策规定，而不是由个人根据自己的判断给予许可。

Often this is accompanied by separation of duties, where your scope of work is limited and you do not have access to see information that does not concern you; someone else handles that information. This separation of duties is also facilitated by role-based access control, as we will discuss next.
这通常伴随着职责分离，在这种情况下，你的工作范围有限，你无法查看与你无关的信息;其他人会处理这些信息基于角色的访问控制也促进了这种职责分离，我们将在下面讨论。

Role-Based Access Control (RBAC) 基于角色的访问控制

Role-based access control (RBAC), as the name suggests, sets up user permissions based on roles. Each role represents users with similar or identical permissions.
顾名思义，基于角色的访问控制（RBAC）根据角色设置用户权限。每个角色代表具有相似或相同权限的用户。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-LgxKdkUB-1692675402273)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230822112102311.png)]

RBAC in the Workplace 工作场所中的RBAC

Role-based access control provides each worker privileges based on what role they have in the organization. Only Human Resources staff have access to personnel files, for example; only Finance has access to bank accounts; each manager has access to their own direct reports and their own department. Very high-level system administrators may have access to everything; new employees would have very limited access, the minimum required to do their jobs.
基于角色的访问控制根据每个员工在组织中的角色为他们提供特权。例如，只有人力资源部的工作人员才能查阅人事档案;只有财务部门有权访问银行账户;每个经理都可以访问他们自己的直接下属和他们自己的部门。非常高级别的系统管理员可能可以访问一切;新雇员获得的机会将非常有限，这是他们工作所需的最低限度。

Monitoring these role-based permissions is important, because if you expand one person’s permissions for a specific reason—say, a junior worker’s permissions might be expanded so they can temporarily act as the department manager—but you forget to change their permissions back when the new manager is hired, then the next person to come in at that junior level might inherit those permissions when it is not appropriate for them to have them. This is called privilege creep or permissions creep. We discussed this before, when we were talking about provisioning new users.
监视这些基于角色的权限非常重要，因为如果您出于特定原因扩展了某个人的权限-比如说，一个初级员工的权限可能被扩展，以便他们可以临时担任部门经理-但您忘记在新经理被雇用时将他们的权限更改回来那么下一个进入该初级级别的人可能在他们不适合拥有这些权限时继承这些权限。这称为特权蠕变或权限蠕变。我们之前讨论过这一点，当我们讨论预配新用户时。

Having multiple roles with different combinations of permissions can require close monitoring to make sure everyone has the access they need to do their jobs and nothing more. In this world where jobs are ever-changing, this can sometimes be a challenge to keep track of, especially with extremely granular roles and permissions. Upon hiring or changing roles, a best practice is to not copy user profiles to new users. It is recommended that standard roles are established, and new users are created based on those standards rather than an actual user. That way, new employees start with the appropriate roles and permissions.
拥有具有不同权限组合的多个角色可能需要密切监控，以确保每个人都拥有完成工作所需的访问权限，仅此而已。在这个工作不断变化的世界中，这有时是一个很难跟踪的问题，特别是在非常细粒度的角色和权限的情况下。在雇用或更改角色时，最佳做法是不要将用户配置文件复制给新用户。建议建立标准角色，并根据这些标准而不是实际用户创建新用户。这样，新员工就可以从适当的角色和权限开始。