Access Control

Access control is the collective term for the mechanisms that ensure only the right users can access the right systems and data at the right time. It is a fundamental security measure required by GDPR, ISO 27001, NIS2 and most other security frameworks.

Back to Dictionary

What is access control?

Access control is a collective term for the processes and technologies that govern who can view and use resources in a computing environment. It covers authentication (confirming identity), authorisation (what you are permitted to do) and accountability/auditing (what you have done).

Robust access control is the foundation of information security: even with encrypted data and secure systems, security is compromised if the wrong people have access. It is closely related to multi-factor authentication and zero trust principles.

Access control models

The most widely used access control models are:

RBAC (Role-Based Access Control): Access is granted based on the user’s role within the organisation. The most common model in practice.
ABAC (Attribute-Based Access Control): Access is determined by attributes of the user, resource and environment. More flexible than RBAC.
MAC (Mandatory Access Control): Centrally controlled based on classification levels. Primarily used in military and government contexts.
DAC (Discretionary Access Control): Resource owners determine access. Flexible, but harder to manage at scale.

Access lifecycle management

Access control is not a one-off assignment but a continuous process:

Onboarding: Granting access based on job function and the need-to-know principle.
Changes: Adjusting access when employees change roles or responsibilities.
Reviews: Periodic access reviews to verify that granted permissions remain necessary.
Offboarding: Immediate deactivation of all access upon departure.

Access creep: "Access creep" occurs when employees accumulate permissions over time through role changes without previous access being revoked. Regular access reviews are essential to counteract this.

Privileged access management

Privileged accounts (administrator access) pose the greatest risk and require special attention. PAM (Privileged Access Management) covers the processes and technologies for managing, monitoring and auditing privileged access, including just-in-time access, session recording and vaulted credentials.

Frequently Asked Questions about Access Control

What is access control?

Access control is the set of mechanisms that ensure only authorised users can access specific systems, data and resources. It encompasses authentication, authorisation and auditing.

What is the difference between authentication and authorisation?

Authentication verifies who you are (e.g. via password or MFA), whilst authorisation determines what you are permitted to do once your identity is confirmed.

What is RBAC?

RBAC (Role-Based Access Control) is an access control model where permissions are assigned based on predefined roles within the organisation rather than to individual users. It is the most widely adopted model in practice.

Why are regular access reviews important?

Access reviews ensure that employees only retain the permissions they actually need. Without regular reviews, access creep occurs — users accumulate unnecessary permissions over time, increasing the risk of data breaches.

What is Privileged Access Management (PAM)?

PAM encompasses the processes and tools for controlling and monitoring accounts with elevated privileges such as administrator accounts. It includes just-in-time access provisioning, session recording and secure credential storage.