Access Control Concepts
Access control is the set of policies, mechanisms, and procedures that regulate which subjects — users, processes, or systems — can access which objects — files, databases, systems, or network resources — and what operations they may perform on those objects. The three fundamental access control models are discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC), each differing in who sets access permissions and on what basis. Effective access control enforces the principles of least privilege and need-to-know, ensuring that subjects have only the minimum access required to perform their authorized functions. Access control is a foundational information protection control and a primary target of IS audit procedures.
Boundaries
- IS A set of technical and administrative controls that authenticate identity, authorize permitted actions, and enforce separation of duties across information systems and physical environments.
- IS NOT A single technology or product; access control is a layered architecture spanning identity management, authentication mechanisms, authorization policies, and audit logging.
Relationships
Inadequate access control is one of the most frequently exploited attack surfaces in enterprise environments — excessive privileges, dormant accounts, and missing segregation of duties directly enable unauthorized data access, fraud, and ransomware lateral movement. Regulatory frameworks including SOX, HIPAA, and PCI DSS mandate specific access control requirements, making deficiencies a direct compliance liability.
Who this affects
- IS Auditor: The auditor reviews user access listings, role assignments, and access provisioning and de-provisioning processes to identify segregation-of-duties conflicts, excessive privilege grants, and inactive accounts — each is a potential audit finding with control-weakness implications.
- Information Security Manager: The security manager is responsible for designing and enforcing access control policies, conducting periodic access reviews, and ensuring that identity governance processes remove access promptly when employment or role changes occur.
Access control is implemented through a layered stack: identity management systems provision and de-provision accounts; authentication mechanisms — passwords, MFA, certificates — verify claimed identities; authorization engines enforce role or attribute-based permission policies; and audit logs capture every access event for monitoring and forensic review. Periodic user access reviews (often quarterly or annually) compare actual access grants against job requirements and remove excess privileges. Privileged access management (PAM) tools add an additional control layer for administrative and service accounts that carry elevated risk.
Feedback loops
- Access review findings generate remediation work orders that reduce standing privilege exposure, and the completion rate of those remediations is tracked as a security KPI.
- Security incident investigations revealing improper access feed back into policy updates and trigger out-of-cycle access certification campaigns.
Applicability conditions, prerequisites, and boundary environments
Unlock →Trigger events, decision context, and timing patterns
Unlock →Structured practice exercise with assessment rubric
Unlock →▸ Use this from your AI agent (developer)
npx -y @grid42/cmmc-catalyst-mcp Free tier: 50 lookups · 10 coaching · 2 diagnostics/month. No credit card. See full pricing →