Overview#Access Control (or Privilege Management) is a process where an Authoritative Entity (Trustor) who grants a permission to a Trustee
Access Control is typically implemented within an Access Control Service
The action of Access Control may be referred to as Resource Provisioning
Access Control may (and probably should) use a Policy Based Management System
Access Control Importance#Access Control is the primary reason we perform all of the following activities: authentication, authorization and Auditing.
Access Control Process#Access Control is defined within a Access Control Policy and enforced by a Policy Enforcement Point based on the decision from the the Policy Decision Point which has acquired information from a Policy Retrieval Point and Policy Information Points. Logical Access Control term originated as a digital counter to Physical Access Control Access Control Models for implementation of Access Control. LDAP server, an Access Control provides a mechanism for restricting who can get access to various kinds of data within the DIT.
The Access Control provider may be used to control a number of things, including:
- Whether or not a DUA can retrieve an LDAP Entry from the DIT.
- Which attributes within the LDAP Entry the DUA is allowed to retrieve.
- Which values of an attribute the DUA is allowed to retrieve.
- The ways in which the DUA is able to manipulate DIB for the directory.
A number of things can be taken into account when making Access Control decisions, including:
- The DN as whom the user is authenticated.
- The Authentication Method by which the client authenticated to the DSA.
- Any groups in which that user is a member.
- The contents of the authenticated LDAP Entry
- The contents of the Target Resource LDAP Entry.
- The address of the DUA system.
- Whether or not the communication between the client and server is secure.
- The time of day and/or day of week of the attempt.
See the documentation for details on the Access Control syntax used by the LDAP Server Implementation vendor.OpenDS is one we are aware, also provides a Privilege Management Infrastructure that can be used to control what a user will be allowed to do. One of the privileges available is the "bypass-acl" privilege, which can be used to allow that DUA to bypass any restrictions that the Access Control subsystem would otherwise enforce. resources against unauthorized access.
2. (I) A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy. (See: access, access control service, computer security, Discretionary Access Control, Mandatory Access Control, Role Based Access Control.)
3. (I) /formal model/ Limitations on interactions between subjects and objects in an information system.
4. (O) "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner." I7498-2
5. (O) /U.S. Government/ A system using physical, electronic, or human controls to identify or admit personnel with properly authorized access to a SCIF.WEB Access Management are Access Control products that are specific to WEB Access Control.
More Information#There might be more information for this subject on one of the following:
- API Management
- API Service Delivery
- Access Control Engine
- Access Control Entry
- Access Control List
- Access Control Models
- Access Control Policy
- Access Log
- Access Proxy
- Adaptive Policy-based Access Management
- Authorization Header
- Best Practices for LDAP Security
- Cloud Access Security Broker
- Context Based Access Control
- Cross-site scripting
- Data Classification
- Data Protection
- Device Inventory Service
- Digital Context
- Digital Rights Management
- Discretionary Access Control
- Enterprise Directory
- Entitlement Example
- GCP ACL
- GCP IAM Policy
- GCP Identity
- GCP Storage Products
- Geneva Framework
- Glossary Of LDAP And Directory Terminology
- Google Cloud IAM
- Google Cloud Storage
- Graded Authentication
- HIPAA Security Rule
- HTTP Authentication Framework
- IDSA Integration Framework
- IMA Policies
- ISO 10181-3
- Identity Aware Proxy
- Identity Credential and Access Management
- Identity Lifecycle Management
- Identity Management
- Identity and Access Management
- JSPWiki Permission
- Java Authentication and Authorization Service
- LDAP Authentication
- Life Management Platform
- Local Security Authority Subsystem Service
- Logical Access Control
- MS Access Mask
- MSFT Access Token
- NAM Access Manager
- NDS Authentication
- NIST.SP.800 Computer Security
- Next Generation Access Control
- Non Permissioned System
- OAuth Scope Example
- Object ACL
- Open Policy Agent
- Oracle Access Manager
- Password Administrator
- Password Management
- Password Policy Administrator
- Payment Card Industry Data Security Standard
- Permissioned Systems
- Permissionless System
- Personal Health Record
- Physical Access Control
- Policy Access Decision Management Engine
- Primary Access Token
- Privilege Conflict
- Privilege Management
- Privileged Access Management
- Privileged Identity
- Protected Data
- RBAC vs ABAC
- Real Risk
- Resource Access Control Facility
- Resource Inventory Service
- Resource Provisioning
- Resource Server
- SOC 2
- Security Token Service
- Sensitive But Unclassified
- Session Management
- Subscriber Identification Module
- System Authorization Facility
- Technical Positions Statements
- Unvalidated redirects and forwards
- User-Managed Access
- User-centric Identity
- Vendor Relationship Management
- Web Blog_blogentry_010117_1
- Web Blog_blogentry_010317_1
- Web Blog_blogentry_030117_1
- Web Blog_blogentry_031017_1
- Web Blog_blogentry_061218_1
- Web Blog_blogentry_070817_1
- Web Blog_blogentry_230717_1
- Web Blog_blogentry_280717_1
- Web Blog_blogentry_300717_1
- Zero Trust
[#1] Loosely adapted from http://en.wikipedia.org/wiki/Access_control - 2012-09-30