Overview#
Access Control (or Privilege Management) is a process where an Authoritative Entity (Trustor) who grants a permission to a TrusteeAccess Control is typically implemented within an Access Control Service
Access Control is the process handling Authorization for Access to a Resource
Access Control is the process of determining Authorization of a Permission.
Access Control is most concerned with controlling access to a Protected Resource and limiting Risk
The action of Access Control may be referred to as Resource Provisioning
Access Control may utilize an Access Control List (ACL)
Access Control may and probably SHOULD) use a Policy Based Management System
Access Control Answers#
Access Control decides "Who" (Authentication ) can do "What" (Resource Action) on which Resourcees.Or Which Identity can do what (Resource Action) on a Protected Resource
Access Control Importance#
Access Control is the primary reason we perform all of the following activities: Access Control essentially includes authentication, authorization and Auditing.Access Control Process#
Access Control is defined within a Access Control Policy and enforced by a Policy Enforcement Point based on the decision from the the Policy Decision Point which has acquired information from a Policy Retrieval Point and Policy Information Points.Logical Access Control #
Logical Access Control term originated as a digital counter to Physical Access ControlAccess Control Models #
There are many Access Control Models for implementation of Access Control.LDAP servers#
For an LDAP server, an Access Control provides a mechanism for restricting who can get access to various kinds of data within the DIT.The Access Control provider may be used to control a number of things, including:
- Whether or not a DUA can retrieve an LDAP Entry from the DIT.
- Which attributes within the LDAP Entry the DUA is allowed to retrieve.
- Which values of an attribute the DUA is allowed to retrieve.
- The ways in which the DUA is able to manipulate DIB for the directory.
A number of things can be taken into account when making Access Control decisions, including:
- The DN as whom the user is authenticated.
- The Authentication Method by which the client authenticated to the DSA.
- Any groups in which that user is a member.
- The contents of the authenticated LDAP Entry
- The contents of the Target Resource LDAP Entry.
- The address of the DUA system.
- Whether or not the communication between the client and server is secure.
- The time of day and/or day of week of the attempt.
See the documentation for details on the Access Control syntax used by the LDAP Server Implementation vendor.
Privilege#
In addition to the Access Control subsystem, some implementations, OpenDS is one we are aware, also provides a Privilege Management Infrastructure that can be used to control what a user will be allowed to do. One of the privileges available is the "bypass-acl" privilege, which can be used to allow that DUA to bypass any restrictions that the Access Control subsystem would otherwise enforce.Internet Security Glossary (RFC 4949)#
Access Control is Protection of system resources against unauthorized access.2. (I) A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy. (See: access, access control service, computer security, Discretionary Access Control, Mandatory Access Control, Role Based Access Control.)
3. (I) /formal model/ Limitations on interactions between subjects and objects in an information system.
4. (O) "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner." I7498-2
5. (O) /U.S. Government/ A system using physical, electronic, or human controls to identify or admit personnel with properly authorized access to a SCIF.
WEB Access Management#
WEB Access Management are Access Control products that are specific to WEB Access Control.More Information#
There might be more information for this subject on one of the following:- API Management
- API Service Delivery
- API-Gateway
- Access Control Engine
- Access Control Entry
- Access Control List
- Access Control Models
- Access Control Policy
- Access Log
- Access Proxy
- Adaptive Policy-based Access Management
- Application-centric
- Authorization
- Authorization Header
- AuthorizationID
- Best Practices for LDAP Security
- BeyondCorp
- Building Automation
- Cloud Access Security Broker
- Context Based Access Control
- Cross-site scripting
- Data Classification
- Data Protection
- Device Inventory Service
- Digital Context
- Digital Rights Management
- Discretionary Access Control
- Draft-behera-ldap-password-policy
- Enable UserPassword in Microsoft Active Directory
- Enterprise Directory
- Entitlement Example
- GCP ACL
- GCP IAM Policy
- GCP Identity
- GCP Storage Products
- Geneva Framework
- Glossary Of LDAP And Directory Terminology
- Google Cloud IAM
- Google Cloud Storage
- Graded Authentication
- HIPAA Security Rule
- HTTP Authentication Framework
- IDM Related Compliance Items
- IDPro
- IDSA Integration Framework
- IEEE 802.1X
- IMA Policies
- ISO 10181-3
- Identity Aware Proxy
- Identity Credential and Access Management
- Identity Lifecycle Management
- Identity Management
- Identity and Access Management
- JML
- JSPWiki Permission
- Java Authentication and Authorization Service
- Keycloak
- LDAP Authentication
- Life Management Platform
- Local Security Authority Subsystem Service
- Lock
- Logical Access Control
- MS Access Mask
- MSFT Access Token
- Mandatory Integrity Control
- NAM Access Manager
- NDS Authentication
- NIST.SP.800 Computer Security
- NT-Sec-Desc
- Next Generation Access Control
- Non Permissioned System
- OAuth Scope Example
- Object ACL
- Open Policy Agent
- Oracle Access Manager
- Organizational-centric
- Password Administrator
- Password Management
- Password Policy Administrator
- Payment Card Industry Data Security Standard
- Permission
- Permissioned Systems
- Permissionless System
- Personal Health Record
- Phantom Token Flow
- Physical Access Control
- Policy Access Decision Management Engine
- Primary Access Token
- Privilege
- Privilege Conflict
- Privilege Management
- Privileged Access Management
- Privileged Identity
- Protected Data
- Provisioning
- RBAC vs ABAC
- RFC 2753
- Real Risk
- Resource Access Control Facility
- Resource Inventory Service
- Resource Provisioning
- Resource Server
- Reverse Proxy
- Rights
- Role
- SOC 2
- Scopes vs Claims
- SearchResultEntry
- Security
- Security Token Service
- Sensitive But Unclassified
- Session Management
- Subscriber Identification Module
- System Authorization Facility
- Technical Positions Statements
- Unclassified
- Unvalidated redirects and forwards
- User-Managed Access
- User-centric Identity
- Vendor Relationship Management
- WebID
- XACML
- Z-Wave
- Zero Trust
[#1] Loosely adapted from http://en.wikipedia.org/wiki/Access_control
- 2012-09-30