Access Control — Enforcing Who Can Access What in a System
Access Control is the security discipline that defines and enforces who can access systems, data, and resources. This SECMONS glossary entry explains access control models, common failures, and how broken enforcement leads to major security incidents.
What Is Access Control? 🧠
Access Control is the process of defining and enforcing policies that determine which users, systems, or processes are allowed to access specific resources.
It builds directly on the distinction between:
- /glossary/authentication-vs-authorization/
- Identity verification mechanisms
- Permission enforcement models
Access control is not just about login security — it governs every action performed after authentication.
Core Access Control Models 🔎
Several structured models are commonly used in enterprise systems:
| Model | Description |
|---|---|
| DAC (Discretionary Access Control) | Resource owners define access permissions |
| MAC (Mandatory Access Control) | Central authority enforces strict policy rules |
| RBAC (Role-Based Access Control) | Permissions assigned based on roles |
| ABAC (Attribute-Based Access Control) | Access determined by attributes and policies |
Modern applications frequently rely on RBAC or ABAC models.
Why Access Control Matters 🎯
Weak access control enforcement is one of the most common causes of security incidents.
Failures may enable:
- /glossary/insecure-direct-object-reference/
- Unauthorized API access
- Privilege escalation
- Data exposure
- Internal lateral expansion
Even when authentication is strong — including /glossary/multi-factor-authentication/ — improper access control can result in large-scale breaches documented under /breaches/.
Broken Access Control 🔬
Broken access control typically occurs when:
- Permissions are not validated server-side
- Excessive privileges are granted
- Authorization checks are inconsistent
- Hidden form fields are trusted
- API endpoints lack proper role enforcement
- Administrative functions are exposed without strict validation
Such flaws may not appear under traditional memory vulnerabilities listed in /vulnerabilities/, but their operational impact can be severe.
Access Control in the Attack Lifecycle 🔄
Access control weaknesses can influence multiple stages:
- Enable /glossary/initial-access/ via exposed interfaces
- Facilitate /glossary/privilege-escalation/
- Allow unchecked /glossary/lateral-movement/
- Expose sensitive data for /glossary/data-exfiltration/
In many cases, attackers exploit logical access flaws rather than technical memory corruption vulnerabilities.
Principle of Least Privilege 🛡️
The Principle of Least Privilege (PoLP) states that users and systems should only have the minimum permissions necessary to perform their function.
Enforcing least privilege reduces:
- Blast radius after compromise
- Impact of stolen credentials
- Lateral movement opportunities
- Persistence risk
Defensive Considerations 🛡️
Strengthening access control requires:
- Clear role definitions
- Periodic permission audits
- Strict server-side validation
- Separation of duties
- Logging and monitoring privilege changes
- Continuous identity governance
Operational hardening practices are typically documented under:
Why SECMONS Treats Access Control as Foundational 📌
Access control is one of the most critical defensive layers.
Technical vulnerabilities may open the door, but broken access control determines how far attackers can go once inside.
Understanding and enforcing structured access policies is essential for resilient security architecture.
Authoritative References 📎
- NIST Access Control Framework: https://csrc.nist.gov/
- OWASP Broken Access Control Documentation: https://owasp.org/