Access controls are security features that control the communication and interaction of users and systems with the other users and systems. Access control is more than simply requiring usernames and passwords when users want to access resources. There is much more to it. There are multiple methods, techniques, technologies and models that can be implemented; there are different ways to administer controls and there are a variety of attacks that are launched against many of these access control mechanisms.


Here are  some basic definitions of terms that are most frequently used in access control:
  • Subject Active entity that requests access to an object or the data within an object. The subject is the actor.
  • Object Passive entity being accessed, or the item being acted upon.
  • Access Ability of a subject to do something, such as read, create, delete or modify. Access is also considered the flow of information between a subject and object.
  • Access control Security features that control how subjects and objects communicate and interact with each other and the flow of information.

Earn Over $100K Average Annual Salary!

Caltech Cybersecurity BootcampExplore Program
Earn Over $100K Average Annual Salary!

Access Control Properties

There are three important features of access control:

  • Identification
  • Authentication
  • Authorization

Identification describes a method of ensuring that a subject (user, program or process) is the entity it claims to be. Some examples of identification mechanisms are username, account number and memory card.
Authentication is the second part of a credential set to verify the identity of the subject. These mechanisms could be passphrases, passwords, cryptographic keys, PIN numbers or tokens.

Authorization is the process of determining what this identified subject can actually access and what operations it can carry out. Authorization is based on some type of predefined criteria, which is enforced through access control lists, security labels, capabilities tables or user profiles.

Identification and Authentication

In IT Security Management, Identification is usually providing a public piece of information (username and account number) and authentication is providing a private piece of information (PIN number, passphrase and digital signature). Three important characteristics of the mechanisms that can be used for authentication are as follows:

  • Subject must prove something s/he knows, for example password
  • Subject must prove something s/he has, for example smart card
  • Subject must prove something s/he is, for example fingerprint

If one mechanism providing one of these characteristics is used, it is referred to as one-factor, if two mechanisms are being used, it is known as two-factor and, yes you guessed it, an authentication process that requires all three is referred to as three-factor. For the authentication process to be considered as strong it must be at least two-factor.

Master the Essential Cybersecurity Skills

Professional Certificate Program In CybersecurityExplore Program
Master the Essential Cybersecurity Skills


Authorization is a process of assigning authenticated subjects access and the right to carry out specific operations, depending upon their preconfigured access rights and permissions outlined in access criteria. An access criterion is developed by the administrator or security officer, to support and carry out the organization’s security policy. Criteria can be based on one or both of the following aspects:

 The security level the subject holds, which directly dictates the objects that are accessible to it.
 The formal access level approved that correlates to what information should and should not be available to a subject.

In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based upon a MAC model greatly reduces the amount of rights, permissions and functionality a user has for security purposes. MAC environments use clearances, classifications and need-to-know to determine if a subject can access an object and what are the operations that can be carried out. Discretionary Access Control (DAC) environments use access control lists (ACLs), which are developed strictly based on the subject’s need-to-know.

It is important to only give the subject access to the objects (resources, devices and information) that are required for it to complete its tasks. This concept is referred to as least privilege. This reduces the possibility of fraud and damaging accidents by limiting access to objects based purely on business needs.
It is best for mechanisms that are making access decisions to default to “no access”. This means that if a subject is not explicitly allowed, it is implicitly denied.

About the Author


Simplilearn is one of the world’s leading providers of online training for Digital Marketing, Cloud Computing, Project Management, Data Science, IT, Software Development, and many other emerging technologies.

View More
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.