What is access control?

Copy URL

Access control is a security authorization technique that determines what specific resources a user or system can view or engage with in an IT infrastructure.

It's an essential component of cybersecurity with the basic goal of protecting sensitive information against unauthorized access. Access control is established by identifying the legitimacy of a user or system’s credentials, then granting the identity an appropriate level of access based on their role or degree of clearance. Several mechanisms including real-time monitoring, compliance, and review ensure that access control systems can improve organizational security measures and reduce threats.

Explore security automation use cases 

There are 6 common types of access control models. Here’s how each manages user permissions:

Role-based Access Control (RBAC)

This model grants or denies access to users based on their assigned roles and responsibilities. These roles determine what resources users can access and system administrators can directly manage access rights based on user-assigned roles. RBAC supports role hierarchies and higher-level roles can also inherit access permissions from lower-level roles, helping to simplify management. For example, a user in a “Staff” role may have limited permissions such as read only or file sharing access whereas a "Manager" will have all the permissions of a “Staff” user plus additional access rights. RBAC follows the principle of least privilege (PoLP), a foundation of Zero Trust security.

Rule-based Access Control (RuBAC)

In this model, access is granted or denied based on a set of predetermined rules that involves individual user criteria or conditions. Implementation includes identifying user-specific needs, creating identity and access management (IAM) policies that define the rules for these needs, and applying conditions to enhance security. Rules are typically based on conditions such as time of access, IP address, and multi-factor authentication. For example, access may be granted only during business hours, if the user is securely logged into a Virtual Private Network (VPN), or in on-premise applications only.

Mandatory Access Control (MAC)

This security technique enforces access restrictions based on fixed mandatory policies and rules set by system admins where permissions can’t be modified by users. Disabling user access modifications ensure that sensitive information is protected according to non-negotiable security protocols. In this system, each user is assigned a predetermined security level and resources are classified by its level of sensitivity. Access is granted or denied depending on whether a user’s security level matches or surpasses the resource’s classification level.

MAC should not be mistaken as a joint role-based and rule-based access control. Though enforcing mandatory rules is its core function, MAC does not allow users to control access permissions—no matter their security level—and security levels are not determined by user roles. MAC can, however, be integrated with RBAC concepts in certain data security systems.

Discretionary Access Control (DAC)

This flexible resource security management system assigns or revokes user access at the resource owner’s discretion. When a user creates or uploads files to their personal cloud, the user can specify permissions for each file, determining whether it is accessible to  the public, to specific users, or privatized solely for the owner’s use. This type of access control is common in file systems and the resource owner can update permissions or remove user access at any time.

Attribute-based Access Control (ABAC)

ABAC is based on user, resource, and environment attributes and evaluates these multiple characteristics simultaneously. For example, when a user provides credentials to log into a cloud service, the system will retrieve the user’s attributes—such as their roles or permissions—from their profile. Then, it will identify the resource attributes such as file type, ownership, and sensitivity with contextual attributes such as time of access, user location, and if the user is requesting access on a secure network. The system will then evaluate whether the combined attributes meet the security policies and make a decision to grant or deny access.

Access Control Lists (ACL)

ACL is a list that defines user or system permissions and the actions they’re allowed to perform once a resource is accessed. This list is typically created and managed by system admins but some automated systems can generate ACLs based on predetermined rules or policies. 
 

Whether you need one or multiple access control systems, they are an essential and necessary component for your IT infrastructure. Evaluate your security and compliance needs to decide which access control model is most appropriate for your organization.

Simplify your security operations center 

Why choose Red Hat for DevSecOps

An access control list (ACL) is a set of rules that specifies which user or entity can or cannot access a particular file or resource in a computer environment. More specifically, ACLs act as filters associated with system resources. For example, when a user attempts to access a resource, the system will check the ACL linked to that resource and compare the user’s identity with the contents listed in the ACL. If the system finds a matching record, the user is granted entry with specified permissions. If no match exists, access is denied. Similar to firewalls, ACLs are rule-based and operate on predefined criteria to evaluate access requests. However, while ACLs specify user permissions, firewalls establish the rules for approving or denying network traffic. 

There are two types of ACLs:

Filesystem ACLs: This method defines and manages content and directories within a filesystem and filters access to the files. Based on predefined rules, a filesystem ACL tells operating systems which users can gain access and the privileges they have inside the system.

Networking ACLs: This method filters access in network devices such as routers, switches, and firewalls, and manages security by specifying which traffic can access the network and the activities allowed once inside.

This fundamental security feature can be placed on any security or routing device to simplify how users or systems are identified and manage how they interact with sensitive information. 

Though they are both methods of managing resources, ACLs and RBACs operate differently. ACLs control permissions for individual users at low-levels of data security whereas RBAC systems control security at the organizational level with overseeing admins. While RBACs offer a broader approach to simplifying security management based on user roles, ACLs allow more granular rules to be tailored to individual users on a per-resource basis without affecting user roles.

RBAC is ideal for organizations with defined roles. It can best serve as a company-wide security system with the help of a monitoring administrator. ACL works best for detailed control over individual resources and offers the flexibility to manage access easily. Choosing either greatly depends on your organization’s structural and security requirements such as compliance and regulation audits. Potential audits include identifying how many users or unauthorized traffic has system admin access. Having resource management makes it easier for you to analyze and review data security to ensure your organization remains compliant.

Learn more about role-based access control

Without IT automation, organizations are forced to work manually, increasing production time, operational costs, and security vulnerabilities including unauthorized access. Automation reduces human error by simplifying routine tasks such as user provisioning, system updates, access reviews, and audit generation at speed that would be otherwise challenging if done manually. As companies grow, automation helps to manage increased data and users, strengthening security by enabling real-time detection and threat response.

Implementing automated patch management and Security Information and Event Management (SIEM) with access control can minimize human errors in IT security processes and improve compliance. Patch management solutions can be paired with automation software to fix known vulnerabilities in systems or applications that enforce access control policies. On the other hand, SIEM automation detects anomalies by analyzing access patterns in real-time and can automatically alert security teams when an event occurs. SIEM also automates audit logs, and tracks and stores access activities for compliance purposes. 

By supplementing access control with automation, businesses can effectively enforce least-privilege access policies while ensuring that access aligns with organizational needs.

IT executive’s guide to automation

Network automation for everyone

Red Hat® Ansible® Automation Platform helps you automate manual tasks and speed up time-to-value while facilitating automation at the scale, complexity, and flexibility required of the modern enterprise. As the control plane of Ansible Automation Platform, automation controller allows administrators to define, operate, and delegate automation across teams. It provides granular, built-in RBAC capabilities and integrates with enterprise authentication systems to ensure that automation meets security and compliance standards. Security operations teams can also use Ansible Automation Platform to manage other enterprise applications, like SOAR solutions.

If you’re looking to bring improved security, compliance, and operational efficiency to IAM in container orchestration, Red Hat OpenShift® can help you manage user access to pods, nodes, and entire clusters. An enterprise-ready hybrid cloud application platform, Red Hat OpenShift allows you to manage, deploy, and scale containerized applications while taking advantage of powerful Kubernetes components—including security features like Kubernetes RBAC.

Get started in automation controller

Resource

The automated enterprise

Read this e-book to unlock the power of automation to revolutionize IT services like network, infrastructure, security, DevOps, and edge.

Red Hat Ansible Automation Platform training and certification

Explore Red Hat Ansible Automation Platform training courses and certification exams—and find the skills path that’s best for your role.

Keep reading

Why choose Red Hat Ansible Automation Platform as your AI foundation?

Red Hat® Ansible® Automation Platform establishes a solid foundation for AI implementations by simplifying the deployment, management, configuration, and lifecycle of AI models and infrastructure components.

What is virtual infrastructure management? And how can automation help?

Virtual infrastructure management is the coordination of software, IT resources, and other tools to manage virtual machines and related IT environments throughout their entire lifecycle.

What is IT migration?

An IT migration is the shifting of data or software from one system to another.

Automation and management resources

Featured product

Related articles