Mandatory, Discretionary, Role and Rule Based Access Control
One of the key foundations of a comprehensive IT security strategy involves implementing an appropriate level of access control to all computer systems in an organization or enterprise. This chapter of Security+ Essentials we will provide an understanding of four types of access control for which an understanding is required to achieve CompTIA Security+ certification:
- Mandatory Access Control
- Discretionary Access Control
- Rule-Based Access Control
- Role-Based Access Control
An Overview of Access Control
The term Access Control is something of an ambiguous term. To some it could be interpreted as controlling the access to a system from an external source (for example controlling the login process via which users gain access to a server). In fact, such access control is actually referred to as Authentication or Idendity Verification (which is covered in the Authentication and Identity Verification chapter of this book).
The term Access Control actually refers to the control over access to system resources after a user's account and identity has been authenticated and access to the system granted. For example, a particular user, or group of users, might only be permitted access to certain files after logging into a system while being denied access to all other resources.