Access Control Policy
An Access Control Policy is a foundational set of rules in information security that dictates who or what is allowed to access specific resources and what actions they are permitted to perform. It defines permissions for subjects (like users or processes) over objects (like files or applications), forming the basis for system authorization and enforcing the principle of least privilege.
1970s
2
Definitions
Core Definition
An Access Control Policy is a formal, documented set of rules that specifies how a system grants or denies access to its resources. It is the implementation of an organization's security requirements, translating high-level goals into enforceable system-level controls. The policy defines the relationship between three core components:
- Subjects: The active entities that request access. These can be users, applications, processes, or other systems.
- Objects: The passive resources that require protection. These include files, databases, servers, APIs, or specific data fields.
- Operations: The actions that a subject can perform on an object, such as read, write, execute, delete, or modify.
A well-designed Permission Policy is fundamental to upholding the CIA Triad of information security: Confidentiality (preventing unauthorized disclosure), Integrity (preventing unauthorized modification), and Availability (ensuring resources are accessible to authorized users).
Types of Access Control Policies
Access Control Policies are implemented through various models, each with different strengths and use cases. The choice of model depends on the security requirements of the system.
Discretionary Access Control (DAC) In a DAC model, the owner of an object has the discretion to grant or deny access to other subjects. It is the most flexible model and is commonly found in consumer operating systems.
- Example: On a Linux system, the owner of a file can use the
chmodcommand to set read, write, and execute permissions for themselves, their group, and others.
Mandatory Access Control (MAC) In a MAC model, a central authority controls access based on security labels. Both subjects (users) and objects (files) are assigned a security level (e.g., Unclassified, Confidential, Secret). Access is granted only if the subject's security level is equal to or higher than the object's level. This model is rigid and primarily used in environments with strict security needs, like military or government systems.
- Example: SELinux (Security-Enhanced Linux) is an implementation of MAC for the Linux kernel.
Role-Based Access Control (RBAC) RBAC is a widely used Authorization Policy that manages access based on the roles of individuals within an organization. Permissions are associated with roles, and users are assigned to roles. This simplifies administration, as permissions can be updated for an entire group of users by modifying a single role.
- Example: In a content management system, roles might include 'Administrator' (can do everything), 'Editor' (can create and publish content), and 'Contributor' (can create drafts but not publish).
Attribute-Based Access Control (ABAC) Also known as Policy-Based Access Control (PBAC), ABAC is the most dynamic and granular model. Access decisions are made by evaluating policies against a set of attributes. These attributes can relate to the user (e.g., role, department, security clearance), the resource (e.g., data sensitivity, creation date), the environment (e.g., time of day, location), and the requested action.
- Example: An ABAC policy might state: "Allow users with the 'Doctor' role to 'view' 'Medical Records' if the record belongs to a patient in their assigned ward and the access request originates from within the hospital's network during work hours."
Origin & History
Etymology
The term is a composite of 'Access' (the ability to approach or use), 'Control' (to manage or regulate), and 'Policy' (a set of rules). It literally means a set of rules to regulate access.
Historical Context
The concept of access control is as old as multi-user computing. In the 1960s and 1970s, early operating systems like Multics pioneered foundational ideas, including the Access Control List (ACL), to manage file permissions among different users. During the Cold War, the need for stricter controls in military and government systems led to the development of formal models. The Bell-LaPadula model (1973) became the cornerstone of Mandatory Access Control (MAC), where access is dictated by security clearances and data classifications (e.g., Top Secret, Secret). This was a stark contrast to the more common Discretionary Access Control (DAC) model used in systems like Unix, where file owners could set permissions themselves. As businesses and enterprises grew in complexity, managing individual user permissions became unscalable. This led to the formalization of Role-Based Access Control (RBAC) in the 1990s. RBAC simplified administration by grouping permissions into roles, making it the de facto standard for enterprise applications. More recently, the rise of dynamic, distributed systems has popularized Attribute-Based Access Control (ABAC), a more granular and context-aware **Authorization Policy** that makes decisions based on a wide range of attributes.
Usage Examples
To comply with GDPR, the security team implemented a strict Access Control Policy that limits access to customer data to authorized personnel only.
The system administrator configured the firewall's Access Control Policy to block all incoming traffic except from trusted IP addresses.
Our new cloud application relies on a sophisticated Authorization Policy to manage permissions for thousands of users across different subscription tiers.
A well-defined Security Policy is crucial for preventing unauthorized modifications to critical system files.
Frequently Asked Questions
What is the primary purpose of an Access Control Policy?
The primary purpose of an Access Control Policy is to enforce the principle of least privilege. This security concept ensures that users, programs, and systems are only granted the minimum levels of access—or permissions—needed to perform their specific job functions. By limiting access rights, the policy minimizes the potential damage from accidental misuse, malicious attacks, or compromised credentials, thereby reducing the overall attack surface of a system.
What are the three most common types of access control models?
The three most common models are:
- Discretionary Access Control (DAC): The resource owner determines who can access their resources. It's flexible but less centralized.
- Mandatory Access Control (MAC): A central authority manages access based on security labels (e.g., clearance levels). It's very rigid and used in high-security environments.
- Role-Based Access Control (RBAC): Access is assigned to roles (e.g., 'Administrator', 'Editor'), and users are then assigned to those roles. This simplifies management in large organizations.