4.4 Identity & access management
📘CompTIA Security+ (SY0-701)
Access Controls — Overview
Access control refers to the methods and rules that determine who can access what resources in an organization’s systems or network.
It ensures that only authorized users can access specific data, systems, or resources, based on their role, identity, or attributes.
In simple terms:
Access control is how an organization manages user permissions to protect sensitive information from unauthorized access.
🧩 Types of Access Control Models
There are several models used in organizations. Let’s go through each in detail.
1. Mandatory Access Control (MAC)
Definition:
A highly secure and strict access control model where the operating system or administrator decides who can access what.
Users cannot change access permissions.
Key Points:
- Access decisions are based on security labels or classifications.
(For example: “Top Secret,” “Confidential,” “Public”) - Each user and file/resource has a security label.
- The system compares the user’s label and the object’s label to decide access.
- Commonly used in government, military, and high-security environments.
Example in IT context:
A user with a “Secret” clearance level cannot open a document labeled “Top Secret.” The system enforces this automatically, and the user cannot modify the rule.
Exam Tip:
- MAC = Labels and system-enforced access.
- Users cannot change permissions.
2. Discretionary Access Control (DAC)
Definition:
An access model where the owner of a resource decides who can access it and what they can do.
Key Points:
- Access is based on user identity and permissions assigned by the owner.
- Uses Access Control Lists (ACLs) or file permissions (like read, write, execute).
- Flexible, but also less secure, since users can accidentally grant permissions to others.
Example in IT context:
A network administrator creates a shared folder and allows specific users to “read” or “edit” files. The folder owner can modify these permissions.
Exam Tip:
- DAC = Owner-controlled permissions.
- Found commonly in Windows and Linux environments.
3. Role-Based Access Control (RBAC)
Definition:
Access is given based on the role or job function of a user in an organization.
Key Points:
- Roles are created according to job responsibilities.
- Users are assigned roles, and each role has specific permissions.
- Helps with least privilege and easy management (since permissions are not assigned individually).
Example in IT context:
A “Database Administrator” role has access to manage databases. Anyone assigned to that role automatically gets the same permissions.
Exam Tip:
- RBAC = Roles determine access.
- Used widely in enterprise environments.
4. Rule-Based Access Control
Definition:
Access decisions are based on predefined rules that evaluate specific conditions.
Key Points:
- Rules are often defined in firewalls, routers, or access control systems.
- Can use if-then logic to allow or deny access.
- Commonly used for network access controls or temporary restrictions.
Example in IT context:
A firewall allows incoming traffic on port 443 (HTTPS) but blocks all others.
Or, a system may block user login attempts from outside the corporate network.
Exam Tip:
- Rule-based = Uses system rules or conditions, not user roles.
5. Attribute-Based Access Control (ABAC)
Definition:
Access decisions are made based on attributes (characteristics) of the user, resource, action, and environment.
Key Points:
- Attributes can include:
- User attributes: department, job title, location, clearance level
- Resource attributes: file type, classification
- Environmental attributes: time of day, device type, IP address
- ABAC evaluates all these attributes using policies written in languages like XACML (eXtensible Access Control Markup Language).
- Very dynamic and flexible model.
Example in IT context:
A user from the “HR Department” can access payroll files only during business hours and only from the corporate network.
Exam Tip:
- ABAC = Based on multiple attributes (user + environment + resource).
- Policy-based system using “If conditions match, then grant access.”
6. Time-of-Day Restrictions
Definition:
Access is allowed or denied based on specific time periods.
Key Points:
- Used to limit user access during non-working hours.
- Commonly applied on VPNs, systems, and networks.
- Helps reduce risk from unauthorized after-hours access.
Example in IT context:
A company allows employees to log in to their systems only between 8 AM and 6 PM. Any login attempt outside that range is denied.
Exam Tip:
- Time-of-day = Restrict access by time schedule.
- Often combined with RBAC or ABAC.
7. Principle of Least Privilege
Definition:
Users are given only the minimum access needed to perform their job — nothing more.
Key Points:
- Reduces potential damage if an account is compromised.
- Supports security hardening and attack surface reduction.
- Often implemented with RBAC or ABAC systems.
- Applies to users, devices, applications, and processes.
Example in IT context:
An IT support technician can reset passwords but cannot access confidential HR data.
Exam Tip:
- Least Privilege = Minimal necessary access.
- Important for defense-in-depth strategy and compliance.
🧠 Summary Table
| Access Control Type | Who Controls Access | Based On | Common Use |
|---|---|---|---|
| Mandatory (MAC) | System/Admin | Security labels/classifications | Military, government |
| Discretionary (DAC) | Owner | User identity | Windows, Linux |
| Role-Based (RBAC) | Admin via roles | Job function | Enterprise networks |
| Rule-Based | System rules | Conditions (like firewall rules) | Network devices |
| Attribute-Based (ABAC) | Policies | Attributes of user/resource/environment | Cloud & dynamic systems |
| Time-of-Day | Admin policy | Time restrictions | VPNs, workstations |
| Least Privilege | Admin principle | Minimum access required | All environments |
🏁 Key Exam Pointers
- MAC → Enforced by system, uses labels (most restrictive).
- DAC → Owner decides, uses ACLs (least restrictive).
- RBAC → Role determines permissions (common in enterprises).
- Rule-Based → Based on predefined conditions (used in network controls).
- ABAC → Based on multiple dynamic attributes (used in cloud systems).
- Time-of-Day → Limits access by schedule.
- Least Privilege → Always grant minimum required permissions.
