Access control is the security technique that regulates who can view or use resources and what actions each user can perform. Access control determines which users, devices, or processes reach a file, system, or physical space, and which operations they may run. Every operating system, database, and secured building applies access control to enforce permissions.
This article defines access control, explains the role of authentication, describes the four access control models of DAC, MAC, RBAC, and ABAC, states the principle of least privilege, separates physical from logical access control, explains access control lists, and gives concrete examples. The National Institute of Standards and Technology access control guidance and standard operating system documentation supply the references used here.
A comparison table sets out the four models across how permissions are assigned and where each fits. Each section answers one question about access control and connects to the next.
What Is Access Control?
Access control is the security technique that regulates who can access a resource and what operations they can perform on it. Access control combines identification, authentication, and authorization into an enforced policy. The system first confirms who a user is, then decides what that user may do.
The National Institute of Standards and Technology defines access control as the process of granting or denying specific requests for resources. Access control applies to data, applications, networks, and physical locations, and it enforces the boundary between an authenticated identity and the resources that identity is permitted to use.
What Role Does Authentication Play in Access Control?
Authentication establishes the identity that access control then evaluates against a permission policy. Access control cannot grant or deny access until it knows who is requesting. The list below states the sequence of access control steps.
- Identification states a claimed identity, such as a username or device certificate.
- Authentication verifies that claim through a password, passkey, or biometric factor.
- Authorization checks the verified identity against the access policy for the requested resource.
- Enforcement grants or denies the operation and records the decision for audit.
Authentication answers who the user is, and authorization answers what the user may do. The boundary between these two functions appears in the comparison of how authentication and authorization divide the access process, which together form the core of access control.
What Are the Access Control Models?
The four access control models are Discretionary, Mandatory, Role-Based, and Attribute-Based access control. Each model assigns permissions through a different rule. The list below names the models.
- Discretionary Access Control, DAC, lets the resource owner decide who receives access.
- Mandatory Access Control, MAC, enforces access through system-wide security labels that users cannot change.
- Role-Based Access Control, RBAC, grants permissions to roles, and users inherit access through assigned roles.
- Attribute-Based Access Control, ABAC, grants access based on attributes of the user, resource, action, and context.
Each model trades flexibility against central control. The comparison table later in this article sets out how each model assigns permissions and where each fits.
What Is Discretionary Access Control?
Discretionary Access Control is a model where the resource owner sets the permissions for that resource. The owner grants or revokes access at their discretion. Standard file systems on Windows, macOS, and Linux use discretionary access control, where the file owner assigns read, write, and execute permissions.
Discretionary access control offers flexibility but allows inconsistent policy, because each owner decides independently. A user who owns a file can share it with anyone, which makes central enforcement difficult across a large organization.
What Is Mandatory Access Control?
Mandatory Access Control is a model where a central authority assigns security labels that the system enforces regardless of owner preference. Users cannot override the labels. Mandatory access control assigns classifications such as confidential, secret, and top secret to both resources and users, and access requires a matching clearance.
Government, military, and high-security systems use mandatory access control, often through implementations such as SELinux. Mandatory access control provides the strictest control but the least flexibility, because no individual owner can change the policy.
What Is the Principle of Least Privilege?
The principle of least privilege states that each user, process, or system receives only the minimum access required to perform its function. Least privilege limits the damage a compromised account can cause. The list below states how least privilege applies.
- Minimum rights grant only the permissions a task requires and nothing beyond it.
- Just-in-time access raises privileges only for the duration of a specific task.
- Separation of duties splits sensitive operations across multiple accounts to prevent single-account abuse.
- Regular review removes accumulated permissions that a user no longer needs.
Least privilege contains the blast radius of a breach, because a compromised account holds only narrow access. The National Institute of Standards and Technology lists least privilege as a foundational control, and it underpins the verification model described in the overview of how zero trust security limits implicit access.
What Is the Difference Between Physical and Logical Access Control?
Physical access control restricts entry to buildings and equipment, while logical access control restricts access to data and systems. The two layers protect different assets. The list below states the distinction.
- Physical access control uses locks, badge readers, biometric scanners, and turnstiles to govern entry to spaces.
- Logical access control uses passwords, permissions, and policies to govern access to files and applications.
- Combined control pairs both layers, since data security depends on protecting the hardware that holds the data.
- Audit logging records both physical entries and logical access events for accountability.
A complete program enforces both layers, because logical controls fail if an attacker reaches the physical hardware. A server protected by strong permissions still requires a locked room to prevent direct hardware access.
What Is an Access Control List?
An access control list is a table that specifies which users or systems can access a resource and what operations they may perform. An access control list, abbreviated ACL, attaches permissions directly to a resource. The list below states how access control lists operate.
- Entries pair a subject, such as a user or group, with the permissions granted to that subject.
- File system ACLs define read, write, and execute rights on files and directories.
- Network ACLs filter traffic on routers and firewalls by source, destination, and port.
- Order of evaluation matters, because the system applies the first matching rule in many ACL implementations.
Access control lists implement discretionary access control at the resource level. A network access control list enforces similar logic on traffic, deciding which packets pass based on defined rules.
What Are Examples of Access Control?
Access control examples include file permissions, network firewalls, building badge systems, and database roles. Each example enforces a permission boundary. The list below states common deployments.
- File permissions grant read, write, and execute access to users and groups on an operating system.
- Database roles restrict which tables and operations an application account may use.
- Network firewalls apply access control lists to allow or block traffic between segments.
- Badge systems enforce physical access control by checking credentials at controlled doors.
These examples span logical and physical control. A role-based database account and a building badge reader both enforce the same principle, granting access only to authorized identities for authorized actions.
What Is Role-Based Access Control?
Role-Based Access Control is a model that grants permissions to roles, and users receive access by holding an assigned role. Permissions attach to roles rather than to individual users. The list below states how role-based access control operates.
- Roles group the permissions required for a job function, such as accountant or administrator.
- Role assignment grants a user the permissions of every role they hold.
- Centralized management lets administrators change a role to update access for every user in it at once.
- Scalability suits large organizations, because new users inherit access through roles instead of individual grants.
Role-Based Access Control reduces administrative effort at scale, because permission changes apply to a role rather than to each user. Most enterprise applications and cloud platforms implement role-based access control as the default model.
What Is Attribute-Based Access Control?
Attribute-Based Access Control is a model that grants access based on attributes of the user, resource, action, and context. The policy engine evaluates attributes at the moment of each request. The list below states how attribute-based access control operates.
- User attributes include department, clearance, and job title.
- Resource attributes include classification, owner, and data type.
- Contextual attributes include time of day, location, and device security posture.
- Policy rules combine attributes into conditions, such as granting access only to finance staff on managed devices during business hours.
Attribute-Based Access Control supports fine-grained, context-aware decisions that fixed roles cannot express. The added flexibility raises policy complexity, which makes attribute-based access control suited to dynamic environments rather than simple permission sets.
How Does Access Control Support Accountability?
Access control supports accountability by logging every access decision and tying each action to an authenticated identity. Accountability requires a record of who did what. The list below states how access control enables it.
- Audit logs record each access request, the identity behind it, and the grant or deny decision.
- Identity binding ties every logged action to a verified user rather than an anonymous request.
- Non-repudiation prevents a user from denying an action that the logs attribute to their identity.
- Forensic review reconstructs an incident from access logs after a breach or policy violation.
Accountability depends on reliable authentication, because a log entry is only as trustworthy as the identity behind it. Access control and logging together provide the evidence needed for incident investigation and compliance audits.
Key Takeaways
- Access control regulates who can use a resource and what actions they can perform.
- Authentication establishes identity before authorization evaluates permissions.
- The four models are Discretionary, Mandatory, Role-Based, and Attribute-Based.
- The principle of least privilege grants only the minimum access required.
- Physical access control protects spaces, and logical access control protects data.
- An access control list pairs subjects with permissions on a resource.
- Examples include file permissions, firewalls, and building badge systems.
Access Control Models Comparison
The table below compares the four access control models across how permissions are assigned, who controls them, and typical use.
| Model | Permissions Assigned By | Controlled By | Typical Use |
|---|---|---|---|
| DAC | Resource owner | Individual owners | File systems and shared documents |
| MAC | Security labels | Central authority | Government and military systems |
| RBAC | Assigned roles | Administrators | Enterprise applications |
| ABAC | Evaluated attributes | Policy engine | Dynamic, context-aware access |
What is access control in security?
Access control is the security technique that regulates who can view or use a resource and what actions they may perform. It combines authentication and authorization to enforce permissions on data and spaces.
What are the four access control models?
The four models are Discretionary Access Control, Mandatory Access Control, Role-Based Access Control, and Attribute-Based Access Control. Each assigns permissions through a different rule, from owner choice to evaluated attributes.
What is the principle of least privilege?
The principle of least privilege grants each user or process only the minimum access required to perform its function. It limits the damage a compromised account can cause across a system.
What is the difference between physical and logical access control?
Physical access control restricts entry to buildings and equipment using locks and badges. Logical access control restricts access to data and systems using passwords, permissions, and policies.
What is an access control list?
An access control list is a table that specifies which users or systems can access a resource and what operations they may perform. File systems and firewalls use access control lists.
Is RBAC better than ABAC?
Neither is universally better. Role-Based Access Control is simpler and suits stable roles, while Attribute-Based Access Control handles dynamic, context-aware decisions at the cost of greater complexity.
Last Thoughts on Access Control
Access control regulates who reaches a resource and what actions they may perform, enforcing the boundary between an authenticated identity and permitted operations. The four models of Discretionary, Mandatory, Role-Based, and Attribute-Based access control assign permissions through different rules, and the principle of least privilege limits the access each identity holds. Physical and logical access control protect different assets, while access control lists attach permissions to individual resources.
Access control depends on authentication to establish identity and underpins the continuous verification of modern security architecture, detailed in the overview of how zero trust security verifies every request. The hub on cybersecurity principles and access defenses situates access control within the wider protection of systems and data.
