Rule-Based Security Policy

Rule-Based Security Policy definition in Computer Security terms:

Acronym(s): None

Definition(s): A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access.
Source(s): CNSSI 4009-2015 (Adapted from NIST SP 800-33)
NIST SP 800-33

Synonym(s): Discretionary Access Control
A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).
Source(s): NIST SP 800-53 Rev. 4 An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability.
Source(s): NIST SP 800-53 Rev. 4 CNSSI 4009-2015


reference: CSRC Glossary