The IT Law Wiki


Access control (sometimes abbreviated as AC):

  • is "[t]he process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances)."[7]
  • is "[t]he mechanisms for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based."[9]


A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss.

There are two types of access control: physical access control and logical access control.

Specific access controls include system boundary protections, identification and authentication of users, authorization restrictions, cryptography, protection of sensitive system resources, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority.

Forms of access controls[]

Controlling access can be based on any or a combination of the following:

  • User identity
  • Role memberships
  • Group membership
  • Other information known to the system.

By controlling who can use an application, database record, or file, an organization can help to protect that data. It is particularly important to control who is allowed to enable or disable the security features or to change user privileges.

Users need to ensure that secure applications sufficiently manage access to data that they maintain. Access control includes any or all of the following: knowing who is attempting access, mediating access according to some processing rules, and managing where or how data is sent.

  • Identity-based Access Control. A security policy based on comparing the identity of the subject (user, group of users, role, process, or device) requesting access and the authorizations for this identity associated with the object (system resource) being accessed.
  • Information Flow Control. Information flow policies dictate whether information with a particular characteristic can move from one controlled entity (container or subject) to another. Information flow control is based on some fundamental characteristic of the information (not the container), and might not involve an identifiable subject.


See also[]