MODULE 2: Access Control Models & Authorization

After a user successfully authenticates into a system, the next critical question becomes:

What is this user allowed to access?

This is where authorization and access control come into play.

Organizations must ensure that users only have access to the systems, applications, and data necessary for their job roles. If users are given too many permissions, it can lead to serious security risks such as data leaks, privilege abuse, or insider threats.

Access control mechanisms help organizations enforce security policies by defining who can access specific resources and what actions they can perform.

In this module, learners will explore how organizations manage permissions, enforce access policies, and implement different access control models in enterprise environments.

Lesson 1: What is Authorization?

Authorization is the process of determining what an authenticated user is allowed to do within a system.

While authentication verifies the user’s identity, authorization defines the user’s permissions and access rights.

Authorization answers questions such as:

• Which files can this user access?
• Can this user modify system configurations?
• Is the user allowed to access sensitive company data?
• Does the user have administrative privileges?

Authorization policies help prevent unauthorized access and ensure that users only interact with resources that are relevant to their responsibilities.

Lesson 2: The Principle of Least Privilege

One of the most important security concepts in access management is the Principle of Least Privilege (PoLP).

This principle states that users should only be granted the minimum level of access necessary to perform their job functions.

For example:

• A finance employee should only access financial systems.
• A developer should only access development environments.
• A system administrator may require broader access to manage infrastructure.

If users are given excessive permissions, attackers who compromise those accounts may gain access to critical systems.

Applying the least privilege principle significantly reduces the impact of potential security breaches.

Lesson 3: Role-Based Access Control (RBAC)

One of the most widely used access control models in organizations is Role-Based Access Control (RBAC).

RBAC assigns permissions based on user roles rather than assigning permissions individually to each user.

Instead of configuring access separately for every employee, administrators create roles such as:

• System Administrator
• Network Engineer
• HR Manager
• Finance Analyst

Each role is assigned specific permissions.

When a user is assigned to a role, they automatically inherit the permissions associated with that role.

RBAC simplifies access management and ensures consistent permission policies across the organization.

Lesson 4: Attribute-Based Access Control (ABAC)

Another modern access control model is Attribute-Based Access Control (ABAC).

ABAC determines access based on attributes related to the user, system, and environment.

These attributes may include:

• User department
• Job title
• Device location
• Time of access
• Security clearance level

For example:

A company may allow access to certain financial systems only if:

• The user works in the finance department
• The login originates from the corporate network
• The access occurs during working hours

ABAC provides more flexible and context-aware access control compared to traditional role-based models.

Lesson 5: Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is an access control model where the owner of a resource determines who can access it.

For example:

A user who owns a file may decide which other users are allowed to read or modify that file.

This model is commonly used in operating systems where file owners manage access permissions.

While DAC provides flexibility, it may introduce security risks if users grant permissions too freely.

Lesson 6: Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a stricter access control model often used in highly secure environments such as government systems and military networks.

In MAC systems:

Access decisions are controlled by the system rather than individual users.

Resources are assigned security classifications, and users are granted access based on their security clearance.

For example:

• Public
• Confidential
• Secret
• Top Secret

Only users with the appropriate clearance level can access resources within each classification level.

MAC systems provide very strong security but are less flexible than other models.

Lesson 7: Access Policies and Permission Management

Organizations enforce access control through security policies.

Access policies define rules that determine how users interact with systems.

Examples of access policies include:

• Restricting access to sensitive data
• Limiting administrative privileges
• Preventing access from untrusted networks
• Enforcing approval processes for privileged access

Access policies ensure that security rules are consistently applied across the organization.

Lesson 8: Managing Permissions in Enterprise Systems

Enterprise IAM systems help administrators manage permissions efficiently.

Typical access management tasks include:

• Creating user roles
• Assigning permissions to roles
• Managing group memberships
• Monitoring user access activity
• Reviewing access permissions regularly

Access management tools provide visibility into who has access to what resources within the organization.

Lesson 9: Risks of Poor Access Control

If access control is not properly implemented, organizations may face serious security risks.

Common risks include:

• Unauthorized access to sensitive data
• Privilege escalation attacks
• Insider threats
• Data breaches caused by excessive permissions
• Attackers abusing compromised accounts

Many major security breaches occur because users were granted more access than necessary.

Strong access control policies help organizations minimize these risks.

Key Concepts Introduced in Module 2

After completing this module, learners will understand:

• The role of authorization in identity security
• The importance of the principle of least privilege
• How Role-Based Access Control (RBAC) works
• How Attribute-Based Access Control (ABAC) operates
• The differences between DAC and MAC access models
• How organizations enforce access policies
• How enterprise systems manage user permissions

This module prepares learners to explore advanced identity security mechanisms such as Multi-Factor Authentication (MFA) and Zero Trust security models, which will be covered in Module 3: Multi-Factor Authentication & Zero Trust Security.