Safeguard
Concepts

What Is Access Control?

Access control decides who can reach a resource and what they can do with it. Learn the common models, how enforcement works, and why least privilege is the guiding rule.

Daniel Osei
Security Analyst
6 min read

Access control is the set of policies and mechanisms that determine which identities — people, services, or devices — may reach a resource, what actions they may perform on it, and that enforce those decisions on every attempt. It is the security discipline standing between an authenticated identity and the data or capability it is reaching for, granting or denying each request against a defined policy.

Every system with more than one user relies on it, whether the resource is a database row, an object store bucket, a Kubernetes namespace, or a physical door. When access control is done well, it is invisible: people reach exactly what their job requires and nothing more. When it is done poorly, it becomes one of the most damaging categories of security failure — a single missing check can expose every customer record in a system that was otherwise well built.

Why Access Control Matters

Broken access control has repeatedly topped industry lists of the most common web application weaknesses, and for good reason: the flaws are easy to introduce and hard to spot. A developer wires up a feature, tests it as an admin, and never notices that a regular user can reach the same endpoint by editing an identifier in a URL. Nothing crashes, no error appears, and the gap can sit in production for years.

The consequences scale with the value of what sits behind the control. Weak access control drives data breaches, regulatory penalties, and insider-fraud incidents across every industry. It is also central to compliance: frameworks such as SOC 2, ISO 27001, and PCI DSS all require documented, enforced, and periodically reviewed access controls. In short, it is both a technical safeguard and an audit obligation.

How Access Control Works

Access control is often described as a loop sometimes called AAA: authentication (confirming who the identity is), authorization (deciding what that identity may do), and accounting (recording what actually happened). Authentication comes first, authorization builds on its result, and accounting produces the audit trail.

The authorization step is where the real design choices live, and several models exist:

  • Discretionary access control (DAC): the owner of a resource decides who can use it, as with file permissions you set on your own documents.
  • Mandatory access control (MAC): a central policy, not the owner, dictates access based on classification labels, common in government and high-assurance systems.
  • Role-based access control (RBAC): permissions attach to roles, and users inherit them by holding a role. This is the workhorse model for most business applications.
  • Attribute-based access control (ABAC): decisions depend on attributes of the user, the resource, and the context such as time, location, or device posture, allowing fine-grained, dynamic rules.

Cutting across all of them is the principle of least privilege: grant the minimum access needed to do the job, and nothing more. Access should also be enforced at every layer — network, application, and data — rather than trusted once at the perimeter, an approach modern zero-trust architectures make explicit.

Key Points at a Glance

AspectWhat to know
Core question"Who can do what to which resource, and when?"
Building blocksAuthentication, authorization, accounting
Common modelsDAC, MAC, RBAC, ABAC
Guiding principleLeast privilege: grant the minimum needed
Most common failureMissing object-level checks (broken access control)
Where to enforceEvery layer: network, application, data
Compliance linkRequired by SOC 2, ISO 27001, PCI DSS

How to Apply It

Start by inventorying your resources and the actions each supports, then map which roles or attributes should be allowed to perform them. Prefer a small number of well-defined roles over ad hoc per-user permissions, which quickly become unmanageable. Enforce authorization on the server for every sensitive request — never rely on hiding a button in the interface, since attackers call the API directly. Log access decisions so you can answer "who reached this and when" after the fact, and review permissions on a schedule, revoking access when people change roles or leave. Finally, test for the failure mode that matters most: can one user reach another user's data by manipulating an identifier? That single question catches a large share of real-world access-control bugs.

Safeguard fits naturally here. When you are hardening the access model of a running application, Safeguard's DAST product probes live endpoints for broken authorization — the missing object-level checks that static review tends to miss — while Griffin AI surfaces the misconfigured permissions and overly broad roles hiding in your infrastructure code before they ship.

Frequently Asked Questions

Is access control the same as authorization?

Not quite. Authorization is one step inside access control: the decision about what an identity may do. Access control is the broader discipline that also covers authentication (who the identity is) and accounting (recording what happened), plus the mechanisms that actually enforce the decision.

What is the difference between RBAC and ABAC?

RBAC grants permissions through roles: you get a role, and the role carries a fixed set of permissions. ABAC decides dynamically using attributes of the user, the resource, and the context, so it can express rules like "managers may approve expenses under a threshold during business hours." RBAC is simpler to reason about; ABAC is more expressive and flexible.

Why is broken access control so common?

Because the flaws are silent. A missing check does not throw an error or crash anything; the feature works perfectly for the intended user and only fails when someone probes for what they should not reach. It is easy to test the happy path and never exercise the abuse case, so the gap survives into production.

How does least privilege reduce risk?

Least privilege shrinks the blast radius of any single compromise. If an account or service holds only the access it truly needs, an attacker who takes it over gains far less, and an accidental mistake damages far less. It turns "one breach exposes everything" into "one breach exposes a narrow slice."

New to the topic and want to build from the ground up? Explore related terms in our concepts library, and work through access control from first principles in the Safeguard Academy.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.