eastbaycyber

Access Control: Definition, How It Works, and Where You’ll See It

Glossary 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Access control is the set of rules and mechanisms that determine whether a user, device, or service is allowed to access a resource and what actions they can take. In practice, it combines identity verification (authentication) with permission decisions (authorization) and technical enforcement.

Access control is the security discipline that decides who can access what, which actions they can take, and under which conditions—across apps, networks, cloud, and data. In practice, access control combines authentication (proving identity), authorization (permission decisions like RBAC/ABAC), and policy enforcement + logging so decisions are applied and auditable.

How access control works

Access control isn’t one feature—it’s a chain of components that must align. A strong system is explicit about who is requesting, what they want, where/how they’re requesting from, and how the decision is enforced and recorded.

1) Identify the subject and the resource

  • Subject: the actor requesting access (human user, service account, workload identity, device).
  • Resource (object): what’s being accessed (file share, database table, API endpoint, SaaS tenant, cloud bucket, VPN, admin console).
  • Action: read, write, delete, execute, list, administer, approve, export, etc.

Many failures happen because the “resource” is defined too broadly (“all S3 buckets”) or the “action” set is excessive (granting write/delete when read is sufficient).

2) Authenticate (AuthN): prove who/what you are

Authentication establishes the subject’s identity. Common methods:

  • Passwords (still common, but fragile if reused/phished)
  • MFA (TOTP, push, FIDO2/WebAuthn)
  • Certificates / mTLS (often for devices/services)
  • SSO using an identity provider (IdP) and protocols like SAML/OIDC

Authentication answers: Is this really Alice (or this service)?
It does not answer: Should Alice be allowed to do this?

Practical tip: improving authentication often starts with credential hygiene. For many small teams, adopting a business password manager can reduce password reuse and support MFA/SSO workflows—see our guide to the best password manager for small business: password manager for small business 2026. If you’re evaluating tools, 1Password Business is a common choice; you can check current plans here: Try 1Password →.

3) Authorize (AuthZ): decide what you’re allowed to do

Authorization is the decision point: allow/deny based on permissions and conditions.

Common authorization models:

  • DAC (Discretionary Access Control): resource owners decide access (typical UNIX file permissions and many file shares).
  • MAC (Mandatory Access Control): centrally enforced labels/clearances (e.g., SELinux concepts; common in high-assurance environments).
  • RBAC (Role-Based Access Control): permissions are grouped into roles (e.g., “HR-Reader,” “Billing-Admin”) assigned to identities.
  • ABAC (Attribute-Based Access Control): decisions use attributes and policies (user attributes, device posture, location, resource tags, time).
  • ReBAC (Relationship-Based Access Control): decisions based on relationships (common in collaboration apps: “owner,” “member of project X”).

Most organizations use RBAC for manageability plus ABAC-like conditions for extra control (e.g., “admin actions require compliant device + MFA”).

4) Evaluate policies at a decision point

A typical architecture includes:

  • Policy Decision Point (PDP): evaluates rules and context.
  • Policy Enforcement Point (PEP): enforces the allow/deny (API gateway, reverse proxy, OS kernel, database engine, cloud control plane).
  • Policy Administration Point (PAP): where policies/roles are defined (IAM console, directory groups, config repo).
  • Policy Information Point (PIP): provides context (group membership, device compliance, geo/IP reputation, resource tags).

A good mental model: authn proves identity → authorization evaluates policy → enforcement gates access → logging records the outcome.

5) Enforce and log decisions

Enforcement can happen at multiple layers:

  • Network: segmentation, firewall rules, VPN/ZTNA policies
  • Application: API authorization checks, admin feature gating
  • Data: database roles, row-level security, object ACLs
  • Endpoint/OS: file permissions, process constraints

Logging is part of access control because it enables: - auditing (“who accessed what?”), - detection (“impossible travel / unusual admin activity”), and - response (“revoke sessions/tokens”).

Technical notes: common verification steps (CLI + log patterns)

Linux: check file permissions and effective access

# Show file mode bits and owner/group
ls -l /path/to/file

# Show ACLs (more granular than mode bits)
getfacl /path/to/file

# Show which groups your user is effectively in
id
groups

# Test access as another user (careful in production)
sudo -u someuser cat /path/to/file

Windows: inspect effective access (PowerShell)

# View ACL on a file/folder
Get-Acl "C:\Sensitive\Data" | Format-List

# Check local group memberships
whoami /groups

Web/API authorization failures: typical log indicators - HTTP status codes: 401 Unauthorized (authn missing/invalid) vs 403 Forbidden (authz denied) - Log phrases: access denied, permission denied, not authorized, insufficient privileges, token missing scope

Example grep for frequent denies (Linux app logs):

grep -E "403|permission denied|not authorized|access denied" /var/log/app/*.log | tail -n 50

Cloud IAM quick checks (generic) - Look for overly broad grants: *:*, AdministratorAccess, “Owner” at the tenant/project level. - Ensure sensitive actions require conditions: MFA, device compliance, IP allowlists, approval workflow.

(Exact commands vary by provider; the key is to review role bindings and policy conditions.)

6) Manage the lifecycle: provisioning, changes, and revocation

Access control must handle real-world change:

  • Joiner/mover/leaver: new hires, role changes, terminations
  • Temporary access: break-glass admin, incident response, vendor access
  • Session/token revocation: invalidate sessions on termination or credential compromise
  • Periodic reviews: attestations/access recertification (especially for regulated environments)

This is where many programs fail: permissions accumulate (“privilege creep”), shared accounts persist, and stale tokens remain valid.

Where you’ll encounter access control

Access control is everywhere; you’ll run into it anytime a system needs to decide “allow or deny.”

Identity and SaaS administration (IAM/SSO)

  • Assigning roles in Microsoft 365, Google Workspace, Slack, GitHub, Jira, etc.
  • Enforcing MFA for admins and high-risk actions
  • Controlling third-party OAuth app access (“allowlist apps”)

What to do next (practitioner checklist): - Separate admin accounts from daily-use accounts. - Enforce phishing-resistant MFA for privileged roles. - Review who can grant roles and who can create OAuth apps.

Cloud platforms and infrastructure

  • Cloud IAM roles/policies (project/subscription/account-level)
  • Storage bucket permissions (public exposure is a classic issue)
  • Service-to-service access (workload identities, instance profiles)

What to do next: - Remove broad “Owner/Admin” assignments; replace with task roles. - Require conditions for sensitive operations (MFA, source IP, device posture). - Monitor for changes to IAM policies and role bindings.

Network access (VPN, ZTNA, segmentation)

  • VPN group-based access to subnets
  • Zero Trust Network Access policies per app
  • NAC controls for device compliance

What to do next: - Prefer app-level access over flat network access. - Use device compliance signals (managed, patched, encrypted). - Log and alert on new admin logins and unusual geo/IP.

Tooling note (optional): VPNs don’t replace authorization inside apps, but they can reduce exposure of admin surfaces and internal services. If you need a straightforward business-friendly VPN option for remote access, you can review providers like NordVPN or Surfshark here: Check NordVPN pricing → and Try Proton VPN →.

Applications and APIs

  • API gateways checking JWT scopes/claims
  • Admin portals enforcing “can manage users” vs “can view reports”
  • Database access via application roles (not shared DB admin users)

What to do next: - Treat authorization as code: review it like any security-critical logic. - Ensure least privilege scopes for tokens and service accounts. - Validate both server-side and in every sensitive endpoint (don’t trust UI checks).

If your team works with indicators from auth logs (e.g., suspicious tokens, failed logins, unexpected admin actions), it helps to align on terminology like what constitutes an IOC; see: what is an ioc.

Data protection and compliance

  • Who can export customer lists, payroll files, or PHI
  • Row-level security in analytics tools
  • DLP policies tied to user roles/groups

What to do next: - Reduce “export” and “download” rights; add approvals where needed. - Apply sensitivity labels/tags and use them in policy. - Audit access to crown-jewel datasets.

Common access control pitfalls (and quick fixes)

Over-permissioned roles and privilege creep

Pitfall: “Temporary” admin becomes permanent; broad roles proliferate.
Fix: define job roles, use time-bound elevation, and run quarterly access reviews.

Missing enforcement at the application layer

Pitfall: UI hides buttons, but APIs still allow the action.
Fix: enforce authorization on the server for every sensitive endpoint.

Weak endpoint security undermines access decisions

Pitfall: a compromised device can reuse valid sessions/tokens.
Fix: add device posture checks, EDR, and session revocation. If you’re evaluating endpoint protection, compare options in our Windows business endpoint guide: best antivirus for windows business endpoints 2026. (For an example of an endpoint security tool, you can view Malwarebytes here: Get Malwarebytes →.)

Related terms

Authentication (AuthN)

verifying identity (passwords, MFA, certificates, SSO).

Authorization (AuthZ)

determining permissions; what actions are allowed.

RBAC (Role-Based Access Control)

permissions grouped into roles assigned to users.

ABAC (Attribute-Based Access Control)

policy decisions based on attributes and context.

ACL (Access Control List)

a list of permissions attached to a resource (files, network objects).

PAM (Privileged Access Management)

controls for admin and high-risk access (vaulting, approvals, session recording).

Zero Trust

“never trust, always verify”; continuously evaluate identity, device, and context—not just network location.

Segregation of duties (SoD)

preventing toxic combinations of permissions (e.g., create vendor + approve payment).

Break-glass access

tightly controlled emergency access path for incidents.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.