Access control

In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of accessing may mean consuming, entering, or using. It is often used interchangeably with authorization, although the authorization may be granted well in advance of the access control decision.^[1]

Access control on digital platforms is also termed admission control. The protection of external databases is essential to preserve digital security.^[2]

Access control is considered to be a significant aspect of privacy that should be further studied. Access control policy (also access policy) is part of an organization’s security policy. In order to verify the access control policy, organizations use an access control model.^[3] General security policies require designing or selecting appropriate security controls to satisfy an organization's risk appetite - access policies similarly require the organization to design or select access controls.

Broken access control is often listed as the number one risk in web applications. ^[4] On the basis of the "principle of least privilege", consumers should only be authorized to access whatever they need to do their jobs, and nothing more.^[5]

^ Wilson, Yvonne; Hingnikar, Abhishek (2023). Solving identity management in modern applications: demystifying OAuth 2, OpenID Connect, and SAML 2 (Second ed.). New York: Apress. p. 143. ISBN 9781484282601. {{cite book}}: |access-date= requires |url= (help)
^ Bertino, Elisa (2011). "Access Control for Databases: Concepts and Systems". Foundations and Trends in Databases. 8 (1–2): 1–148.
^ Ouaddah, Aafaf; Mousannif, Hajar; Abou Elkalam, Anas; Ait Ouahman, Abdellah (15 January 2017). "Access control in the Internet of Things: Big challenges and new opportunities". Computer Networks. 112: 237–262. doi:10.1016/j.comnet.2016.11.007. ISSN 1389-1286.
^ "A01 Broken Access Control - OWASP Top 10:2021". owasp.org. Retrieved 1 May 2025.
^ "Authorization - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved 1 May 2025.

[1] Wilson, Yvonne; Hingnikar, Abhishek (2023). Solving identity management in modern applications: demystifying OAuth 2, OpenID Connect, and SAML 2 (Second ed.). New York: Apress. p. 143. ISBN 9781484282601. {{cite book}}: |access-date= requires |url= (help)

[2] Bertino, Elisa (2011). "Access Control for Databases: Concepts and Systems". Foundations and Trends in Databases. 8 (1–2): 1–148.

[3] Ouaddah, Aafaf; Mousannif, Hajar; Abou Elkalam, Anas; Ait Ouahman, Abdellah (15 January 2017). "Access control in the Internet of Things: Big challenges and new opportunities". Computer Networks. 112: 237–262. doi:10.1016/j.comnet.2016.11.007. ISSN 1389-1286.

[4] "A01 Broken Access Control - OWASP Top 10:2021". owasp.org. Retrieved 1 May 2025.

[5] "Authorization - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved 1 May 2025.

[1]

[2]

[3]

[4]

[5]