Access control refers to the security policies and mechanisms that regulate which users, processes, or systems can access specific resources and what operations they can perform on those resources. It is the enforcement layer that ties authentication (who you are) and authorization (what you can do) together into a coherent security boundary.
How It Works
Access control systems operate on a fundamental principle: every request to access a resource must be evaluated against a defined policy before being granted. These policies define subjects (users or processes), objects (resources or data), and operations (read, write, delete, execute). The access control system evaluates each request against these policies and either permits or denies the action.
Several models govern how access control policies are structured. Mandatory Access Control (MAC) enforces system-wide policies that individual users cannot override, common in military and government systems. Discretionary Access Control (DAC) allows resource owners to set permissions, typical in file systems. Role-Based Access Control (RBAC) assigns permissions to roles rather than individual users, simplifying management in large organizations. The principle of least privilege dictates that subjects should receive only the minimum permissions necessary to perform their intended function.
In web applications, access control must be enforced at every layer. URL-level controls restrict which endpoints users can reach. Object-level controls ensure users can only access their own data. Function-level controls limit which operations are available. Field-level controls restrict which data attributes are visible or modifiable. A gap at any layer creates an exploitable vulnerability.
Why It Matters
Broken access control has been the number one web application security risk for years. It enables horizontal privilege escalation (accessing other users' data), vertical privilege escalation (gaining admin access), and unauthorized data manipulation. Thorough security assessments test access controls at every layer, using techniques like parameter tampering, forced browsing, and role-switching to uncover enforcement gaps.
Need your application tested? Get in touch.