Skip to main content

Access Control

Access control is the set of technical and administrative mechanisms that ensure only authorized subjects can view, use, or modify specific systems, data, and resources in line with defined security policies.

Expanded Explanation

1. Technical Function and Core Characteristics

Access control enforces who can access which resources, under what conditions, and with which permitted actions such as read, write, or execute. It operates through identification, authentication, authorization, and accountability mechanisms implemented in hardware, software, and administrative controls.

Common models include discretionary, mandatory, role-based, attribute-based, and rule-based access control, each using different policy structures and enforcement methods. Core characteristics include policy definition, policy decision, and policy enforcement components that operate together to restrict access to approved subjects.

2. Enterprise Usage and Architectural Context

Enterprises implement access control across operating systems, databases, applications, APIs, networks, physical facilities, and cloud environments. Centralized identity and access management platforms often coordinate policies across directories, Single Sign-On (SSO) services, privileged access tools, and federation technologies.

Architectures typically separate policy decision points from policy enforcement points to support consistent authorization across distributed systems. Access control also integrates with logging, Security Information and Event Management (SIEM), and Governance, Risk, and Compliance (GRC) platforms for monitoring and audit.

3. Related or Adjacent Technologies

Access control relates closely to identity management, Authentication, Authorization, and Accounting (AAA) functions. It depends on reliable identity proofing, credential management, and session management to bind access decisions to verified users, services, or devices.

Adjacent technologies include public key infrastructures, directory services, endpoint security agents, network segmentation, zero trust architectures, and data security controls such as encryption and Data Loss Prevention (DLP). These components support or complement access control policies and enforcement.

4. Business and Operational Significance

Access control supports regulatory compliance, data protection, segregation of duties, and least privilege objectives in enterprises. It reduces unauthorized exposure of systems and data and constrains the actions that internal and external users can perform.

Organizations use access control to align technical permissions with organizational roles, contractual obligations, and regulatory requirements. It also provides audit trails that support incident response, forensic analysis, and verification of policy adherence.

Related Perspectives

CISA adds three known exploited vulnerabilities to catalog

November 26, 2025

CISA has updated its Known Exploited Vulnerabilities Catalog with three new vulnerabilities under active exploitation, urging organizations to prioritize timely remediation to reduce cyberattack risks. The updates relate to vulnerabilities in WatchGuard Firebox, Gladinet Triofox, and Microsoft Windows.