6.4 Compare and contrast authentication, authorization, accounting and non-repudiation concepts.
📘CompTIA ITF+ (FC0-U61)
Explained
Authorization is the process that determines what a user can access or do on a system after they have proven their identity (authentication). Think of it as the rules and permissions that control access to files, applications, and other IT resources.
1. Permissions
- Definition: Permissions are rules set by the system or administrator that define what actions a user can take on an object (like a file, folder, or application).
- Examples in IT:
- A user may have read-only access to a document (can view it but cannot change it).
- Another user might have read/write access (can view and edit the document).
- Permissions are often set on folders, files, databases, and network resources.
2. Least Privilege Model
- Definition: The least privilege model means giving users only the access they need to do their job, and nothing more.
- Purpose: Reduces the chance of accidental or intentional damage.
- Examples in IT:
- A receptionist in a company might only need access to the appointment system, not to HR files.
- A database analyst might have read/write access to the database but not admin rights to the server.
3. Role-Based Access Control (RBAC)
- Definition: Access is determined based on a user’s role within the organization. Instead of assigning permissions to each user individually, roles are created with a set of permissions.
- Key Idea: Users inherit permissions based on the role they are assigned.
- User Account Types Example:
- Administrator: Can create users, delete files, install software.
- Standard User: Can use software and save files but cannot install programs.
- Guest User: Limited access, often only able to read files.
- IT Example: A network engineer role might have access to network switches, routers, and configuration files, while a help desk role can only access user support tools.
4. Rule-Based Access Control
- Definition: Access is determined by a set of rules or policies rather than roles.
- Examples in IT:
- Only allow access to certain files during business hours.
- Block access to sensitive servers from outside the office network.
- Purpose: Adds an extra layer of control beyond roles, often used in dynamic or high-security environments.
5. Mandatory Access Control (MAC)
- Definition: A strict model where the system enforces all access rules, and users cannot change them.
- Key Point: Access is based on security labels like classification levels (e.g., Confidential, Secret, Top Secret).
- IT Example:
- A file labeled “Confidential” can only be accessed by users with a “Confidential” clearance or higher.
- Even if a user tries, they cannot override the system to get higher access.
6. Discretionary Access Control (DAC)
- Definition: The owner of the resource decides who can access it. Users have discretion to grant or deny access to other users.
- Key Point: More flexible than MAC but less secure because users might accidentally share sensitive information.
- IT Example:
- A user creates a document and decides to share it with only a few colleagues.
- The system allows the owner to set read, write, or full control permissions for others.
Key Differences Between MAC, DAC, and RBAC
| Access Control Type | Who Controls Access? | Flexibility | Example |
|---|---|---|---|
| MAC | System/Administrator | Low | Files labeled “Top Secret” only accessible by high-level users |
| DAC | Resource Owner | High | User decides who can read or edit their personal files |
| RBAC | Administrator via roles | Medium | IT team roles define who can access servers or databases |
✅ Exam Tips for Authorization
- Remember: Authentication = Who you are, Authorization = What you can do.
- Least privilege is a security best practice: give the minimum rights needed.
- RBAC is role-focused; rule-based uses policies; MAC is system-enforced, DAC is owner-controlled.
- Know the user account types: Administrator, Standard, Guest, and how they differ in permissions.
This covers everything you need for the Authorization section of the CompTIA ITF+ exam, in IT-specific terms that are easy to visualize and understand.
