21  Access Control Knowledge Check

Test Your Understanding and Challenge Exercises

21.1 Learning Objectives

This chapter helps you:

  • Test your understanding of advanced access control concepts
  • Practice analyzing security scenarios
  • Apply knowledge to real-world IoT security challenges
  • Explore advanced implementation challenges

21.2 Knowledge Check: Token Lifecycle

21.3 Knowledge Check: API Keys vs Tokens

21.4 Knowledge Check: Session Idle Timeout

21.5 Knowledge Check: OAuth Device Authorization

21.6 Knowledge Check: Authentication vs Authorization

21.7 Knowledge Check: Constrained Device Authentication

21.8 Knowledge Check: AAA Accounting Layer

21.9 Knowledge Check: Privilege Escalation Prevention

21.10 Challenge Exercises

Challenge 1: Implement Capability Delegation

Add the ability for users with the GRANT capability to temporarily delegate a subset of their capabilities to another user:

  1. Create a delegation token with source and target user IDs
  2. Delegated capabilities cannot exceed the grantor’s current capabilities
  3. Delegation expires when the grantor’s session ends
  4. Log all delegation events for audit trail
Challenge 2: Add Attribute-Based Conditions

Extend the access control system with attribute-based conditions:

  1. Device location (indoor/outdoor/restricted area)
  2. Network connection type (WiFi/cellular/wired)
  3. Device health status (normal/degraded/compromised)
  4. Combine multiple attributes using AND/OR logic
Challenge 3: Implement Separation of Duties

For critical operations (firmware update, user deletion), require approval from two different administrators:

  1. First admin initiates the operation
  2. System waits for second admin approval (different user)
  3. Both approvals must occur within a time window
  4. Either admin can cancel the pending operation
  5. Log the full approval chain
Challenge 4: Add Token Binding

Implement token binding to prevent token theft:

  1. Bind tokens to device fingerprint (MAC address, hardware ID)
  2. Validate binding on every token use
  3. Alert on binding mismatch (possible token theft)
  4. Allow secure token migration with re-binding

21.11 Expected Outcomes

After completing these knowledge checks and challenges, you should be able to:

Concept Demonstration Real-World Application
Capability Flags Fine-grained permission checking with bit operations Linux file permissions, AWS IAM policies
Token Lifecycle Issue, validate, refresh, revoke tokens OAuth 2.0, JWT tokens
Session Management Time-limited sessions with idle detection Web applications, enterprise systems
Privilege Escalation Prevention Detect and block unauthorized capability expansion Unix sudo, Windows UAC
Time-Based Access Restrict access to specific hours Business hours policies, maintenance windows
Audit Logging Complete security event trail SIEM systems, compliance requirements

21.12 Summary

These knowledge checks test critical security concepts:

  1. Token Lifecycle: Understanding refresh limits, expiration, and validity windows
  2. Credential Security: API keys vs tokens, hardcoding risks, secure storage
  3. Session Management: Idle timeouts vs maximum duration, walk-away attack prevention
  4. OAuth Flows: Device Authorization Grant for input-constrained IoT devices
  5. AAA Framework: Distinguishing authentication, authorization, and accounting
  6. Privilege Management: Escalation detection, capability boundaries

21.13 What’s Next

After completing these challenges, you have mastered enterprise-grade access control patterns. You can:

Or return to the Advanced Access Control Lab Overview.