AlignTrust
Identity & Access

Access Control

The policies and mechanisms that determine who can access which resources, under what conditions, and what actions they can perform.

What Is Access Control?

Access control is the practice of selectively restricting access to places, systems, and information. In cybersecurity, it defines who can access which resources, from where, when, and what they can do with them.

Effective access control is the foundation of almost every security programme — most breaches involve an attacker accessing something they shouldn't have been able to reach.

Access Control Models

Discretionary Access Control (DAC): Resource owners decide who can access their files or systems. Common in file systems. Flexible but hard to manage at scale.

Mandatory Access Control (MAC): Access is determined by security labels and policies set centrally, not by individuals. Used in high-security environments.

Role-Based Access Control (RBAC): Access is assigned based on a user's role in the organisation (e.g., "Finance", "Developer", "Admin"). Most practical model for SMBs.

Attribute-Based Access Control (ABAC): Fine-grained access based on combinations of user attributes, resource attributes, and environmental conditions (time of day, device health, location).

Logical vs Physical Access Control

  • Logical access control: Controls access to digital systems — accounts, applications, networks, data
  • Physical access control: Controls access to physical spaces — offices, server rooms, hardware

Both are part of a comprehensive security programme.

Key Access Control Concepts

  • Authentication: Verifying who someone is (passwords, MFA)
  • Authorisation: Determining what an authenticated user is allowed to do
  • Accountability: Logging access so actions can be attributed to specific users
  • Separation of duties: No single person should have enough access to complete a sensitive transaction alone

Access Control for SMBs

Start with these fundamentals:

  1. Implement RBAC in your directory service (Entra ID, Google Workspace, Okta)
  2. Enforce MFA for all user accounts
  3. Apply the principle of least privilege — grant minimum necessary access
  4. Review and remove dormant accounts quarterly
  5. Log all access to sensitive systems

Related Terms

Principle of Least PrivilegeIdentity and Access Management (IAM)Zero Trust ArchitectureMulti-Factor Authentication (MFA)Authentication

Related Articles

← Back to Security Glossary