2.2. Functional Control (FC)

The role based model of functional control assigns one role to each user, e.g. general user, security officer or system administrator. Every object gets a category, e.g. general, security or system object.

The security officer states which roles are compatible with which object categories, or in other words, users in which roles can access objects in which categories. The security system enforces these settings.

The file/dir/fifo attribute object_category can be inherited from the parent dir.

The functional control model can in the simple version that is implemented in RSBAC only protect system data and security relevant data, but it already enforces separation of duties between the two special roles. An extension to more and more flexible roles could build this to a strong model. Without distinction between different access modes this model should only be used as part of a combined system.

FC can be easily expressed with RC model, so it is kind of obsolete. The RC default settings are very similar to this model.

You should use this model only to get experience as a base for other, more powerful models.