Mandatory, Discretionary, Role and Rule Based Access Control
One of the key foundations of a comprehensive IT security strategy involves implementing an appropriate level of access control to all computer systems in an organization or enterprise. This chapter of Security+ Essentials will provide an understanding of four types of access control for which an understanding is required to achieve CompTIA Security+ certification:
- Mandatory Access Control
- Discretionary Access Control
- Rule-Based Access Control
- Role-Based Access Control
An Overview of Access Control
The term Access Control is something of an ambiguous term. To some it could be interpreted as controlling the access to a system from an external source (for example controlling the login process via which users gain access to a server or desktop system). In fact, such access control is actually referred to as Authentication or Idendity Verification and is not what is meant by Access Control in this context (authentication is covered in detail in the Authentication and Identity Verification chapter of this book).
The term Access Control actually refers to the control over access to system resources after a user's account credentials and identity have been authenticated and access to the system granted. For example, a particular user, or group of users, might only be permitted access to certain files after logging into a system, while simultaneously being denied access to all other resources.