Further Reading: Authorization and Access Control

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 18. Treat the NIST publications as references to consult while designing, not cover-to-cover reads.

Suggested order

  1. Read NIST SP 800-162 (ABAC) for the precise vocabulary of PDP/PEP/PIP/PAP and attribute-based policy — it makes §17.2 and §17.5 rigorous and is the source the industry quotes.
  2. Skim the NIST RBAC model material (the formal user→role→permission model) to ground §17.3.
  3. Read the access-control chapter of Anderson's Security Engineering for the "why" behind DAC/MAC, the reference monitor, and where real access control breaks.
  4. Bookmark NIST SP 800-207 (Zero Trust) §3 to see the PDP/PEP split named as the policy engine and policy enforcement point — the bridge to Chapter 32.
  5. For the certification crosswalk, read the IAM chapters of your Security+ and CISSP study guides alongside this chapter's key-takeaways.md.

Standards & primary documents (Tier 1)

  • NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. 🏗️📋📜 The authoritative treatment of ABAC and the policy architecture (PDP, PEP, PIP, PAP) used in §17.5. The clearest primary source for what each component does and how attribute-based policy is authored and evaluated; read it before designing any non-trivial authorization system.
  • NIST — Role-Based Access Control model (and ANSI/INCITS 359, the RBAC standard). 🏗️📜 The formal user→role→permission model, role hierarchies, and constraints (including separation-of-duties constraints) behind §17.3. The standard formalizes exactly the indirection and the SoD constraints this chapter teaches informally. (The freely available NIST RBAC papers — Ferraiolo & Kuhn and successors — are the accessible entry point; the ANSI/INCITS standard is the formal version.)
  • NIST SP 800-53 (control families AC-2, AC-3, AC-5, AC-6). 🏗️📋📜 The control catalog: account management (AC-2), access enforcement (AC-3), separation of duties (AC-5), and least privilege (AC-6). These are the control numbers auditors cite; map this chapter's concepts to them via the key-takeaways.md crosswalk.
  • NIST SP 800-207, Zero Trust Architecture. 🏗️📜 §3's policy engine / policy administrator / policy enforcement point is the PDP/PEP model of §17.5 under zero-trust names. Read it now to see that Chapter 32 is built on the authorization machinery you learned here. (Full treatment is Chapter 32.)
  • CIS Controls v8 — Control 6 (Access Control Management). 🏗️📋 The program-level framing of access control: granting on least privilege, role-based access, and access recertification. The practical checklist that operationalizes this chapter and the next; pair it with the joiner-mover-leaver lifecycle of Chapter 18.
  • PCI-DSS v4.0 (Requirement 7). 📋📜 "Restrict access to system components and cardholder data by business need to know" — least privilege and role-based access as a mandatory control for any organization handling card data (Meridian's CDE). A concrete example of why these are not optional.

Vendor & cloud documentation (Tier 1)

  • AWS IAM documentation — policies, conditions, and policy evaluation logic. 🏗️ A working, large-scale ABAC system: IAM policies grant access based on principals, actions, resources, and condition keys (source IP, MFA-present, tags). Read the policy evaluation logic page to see a real PDP resolve allow/deny — the §17.2/§17.5 ideas in production. (Azure RBAC and Google Cloud IAM are close analogues.)
  • Microsoft Entra ID — role-based access control and access reviews. 🏗️📋 Entra's built-in roles, custom roles, and access reviews feature directly implement §17.3 (roles) and §17.4 (recertification) for the M365/Entra side of Meridian's estate. The vendor's own answer to "how do we review who has what?"
  • Open Policy Agent (OPA) / Rego. 🏗️ A widely used, general-purpose policy decision point you can run yourself: applications (PEPs) query OPA for an allow/deny decision evaluated against Rego policy. The cleanest hands-on way to feel the PDP/PEP separation of §17.5 in code.

Books (Tier 1)

  • Anderson, R., Security Engineering (3rd ed.). 🏗️📋 The access-control chapter is the deepest accessible treatment of DAC vs. MAC, the reference monitor, the access-control matrix, capabilities vs. ACLs, and the real-world ways access control fails. The "why" beneath this whole chapter; dip into the access-control and (for SoD) the banking/bookkeeping chapters.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Covers authentication vs. authorization, the four models, least privilege, and separation of duties at exam depth — the companion for the Security+ side of this chapter's certification crosswalk.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 The Identity and Access Management domain covers DAC/MAC/RBAC/ABAC, the access-control matrix, the reference monitor, and SoD for the management track — essential for CISSP candidates and a solid reference for GRC.
  • Hu, V., et al. (NIST), Attribute-Based Access Control (book-length treatment). 🏗️ For engineers who will build ABAC: a fuller development of the model, policy languages, and architecture than the SP 800-162 guide. Read after the guide if ABAC is your design target.

Free online & talks (Tier 1 / Tier 2)

  • OWASP — Access Control cheat sheets and the "Broken Access Control" Top 10 entry. 🏗️🛡️ Broken access control is the OWASP Top 10's #1 web-app risk; the cheat sheets give concrete patterns for enforcing authorization in applications (deny by default, enforce server-side, the confused-deputy problem of Exercise 30). The application-developer's view of §17.5. (Tier 1.)
  • "The Confused Deputy" (Norm Hardy's classic paper) and capability-security writing. 🏗️ The original, short articulation of why a service acting on a caller's behalf must check the caller's authority, not just its own — the bug at the heart of many authorization failures. (Tier 2: a foundational idea; several accessible retellings exist — read a reputable one.)
  • Public retrospectives on SaaS support-account / over-privileged-access breaches. 🛡️📋 Several well-reported breaches share the shape of this chapter's Case Study 2 — a broadly-privileged internal or support role weaponized by one credential theft. Read any well-sourced account for the recurring lesson: scope and time-box internal access. (Tier 2: specifics vary by incident and reporting; read reputable sources and treat figures cautiously.)

Tools to explore (in your own lab only)

  • Open Policy Agent (OPA) in a lab. 🏗️ Write a small Rego policy and query it from a toy app: make the app a PEP that defers to OPA as the PDP, then change the policy once and watch every enforcement point pick it up. The §17.5 lesson becomes visceral. (Apply only to systems you own — 🔗 Ch.39.)
  • Your cloud account's access analyzer / IAM policy simulator. 🏗️📋 AWS Access Analyzer (or the Azure/ GCP equivalents) will surface over-broad and externally-reachable grants in an account you control — the real-world version of this chapter's "read across the row" review. Note how much standing access exists that no one remembers granting.

⚖️ Authorization & Ethics reminder: Several resources here describe how access control fails (the confused deputy, broken access control, over-privileged-account breaches) so you can build systems that don't. Apply any policy tool or access analyzer only to systems you own or are explicitly authorized to administer (Chapter 39). Reading your own access matrix is defense; enumerating someone else's entitlements is not yours to do.