Key Takeaways: Authorization and Access Control
A one-page reference. Reread before an exam or before moving on. Dense by design.
Core vocabulary (memorize cold)
| Term | One-line definition |
|---|---|
| Authorization | Determining what an already-authenticated identity may do, to which resources, under what conditions |
| Access control model | The underlying scheme for how access decisions are made and who may grant access |
| Role | A named collection of permissions corresponding to a job function (RBAC) |
| Permission | The right to perform a specific operation on a specific resource/class of resources |
| Policy | A statement of the conditions under which access is granted or denied, evaluated at decision time |
| Privilege creep | Gradual accumulation of access across role changes without removing the old access |
| Toxic combination | Two individually-fine permissions that jointly enable fraud/abuse (an SoD conflict) |
| Segregation of duties (SoD) | No single person holds all access to complete a sensitive action alone; split across people |
| Access control matrix | Subjects × resources grid; each cell = permitted operations (stored as ACLs or capabilities) |
| Policy decision point (PDP) | The component that evaluates a request against policy → permit/deny (holds the logic) |
| Policy enforcement point (PEP) | The component in the request path that intercepts and imposes the verdict (must be unbypassable) |
Threshold idea: Authentication determines whether an attacker who steals a credential gets in; authorization determines how much it is worth when they do. Strong authN makes weak authZ worse (over-broad access reliably attached to a confirmed identity). AAA = AuthN (who) + AuthZ (what's allowed) + Accounting (what happened — the safety net).
The four models — comparison
| DAC | MAC | RBAC | ABAC | |
|---|---|---|---|---|
| Who decides | Resource owner | Central system policy (labels/clearances) | Role membership (admin-assigned) | Rules over attributes at request time |
| Granted to | Individuals (owner's discretion) | Subjects via clearance ≥ label | Roles, then users→roles | Computed per request |
| Scales? | Poorly (sprawl) | Heavy admin | Well (indirection) | Yes, but complex |
| Best for | Personal/collab files | Classified; process confinement (SELinux/AppArmor) | Most business IT | Context/condition-aware; cloud IAM; zero trust |
| Key weakness | Sprawl, re-sharing, no central view | Rigid, label/clearance upkeep | Role explosion; static (no context) | Complexity; hard to audit/debug |
| You've seen it in | OS file perms, NTFS ACLs, "Share" button | Military systems; SELinux (🔗 Ch.11) | Job-based enterprise access | AWS IAM policies (🔗 Ch.15) |
Mature pattern: RBAC backbone + ABAC conditions — roles for coarse "what job function," attributes for fine "but only under these conditions" (managed device, business hours, own branch).
Role design checklist (avoiding role explosion)
- [ ] Roles map to durable job functions, not individuals (no
Sam_Special_Access). - [ ] Far fewer roles than users (many users per role; one-occupant roles are a smell).
- [ ] A base role (
All_Employees) holds common access; other roles inherit it (role hierarchy). - [ ] Senior roles = "junior role plus a few permissions," not from-scratch copies.
- [ ] High-risk permissions split across roles by design (initiate-wire ≠ approve-wire).
- [ ] Mutually-exclusive role pairs are refused at provisioning (can't assign both).
- [ ] Built with top-down (job functions) + bottom-up (mine real access) — reconcile the two.
- [ ] Warning sign — role explosion: ≥ as many roles as users; most held by 1–2 people; undocumented. Cause: minting a new role per individual exception. Why it's a security problem: an access model no one can comprehend is one no one can audit — over-privilege hides in the sprawl.
Least privilege & privilege creep — defenses
| Driver of creep | Control that stops it |
|---|---|
| "Copy [colleague]'s access" for new hires | Provision from clean role definitions, never by cloning a person |
| Role change adds new access, keeps old | Remove on mover events (transfers), not just on leaver |
| Standing access never re-justified | Periodic access reviews (recertification) — must revoke, not rubber-stamp |
| Permissions appropriate individually, toxic together | Explicit SoD rules: refuse the combination + alert on existing |
| Permanent grant for a temporary need (coverage/project) | Time-box temporary access (auto-expire); JIT elevation (🔗 Ch.19) |
The asymmetry that creates creep: access is granted eagerly (someone asks, work is blocked, "yes" is frictionless) and revoked reluctantly (nobody files a ticket to lose access). The mover (internal transfer) is the #1 creep generator.
Reading the access matrix
| Read direction | Answers | Used by | Reveals |
|---|---|---|---|
| Down a column (one resource) | "Who can do X to this resource?" | Resource owner | Who can approve a wire (per-resource) |
| Across a row (one subject) | "What can this subject do everywhere?" | Access reviewer | Privilege creep / toxic combinations |
- ACL = matrix stored per resource ("who can touch this object"). Capability = stored per subject ("what can this subject touch"). Same matrix, two slices.
Segregation of duties — enforce at BOTH layers
| Layer | Mechanism | Prevents |
|---|---|---|
| Static | Role design + provisioning rules refuse the conflicting combination | The toxic combination ever being granted |
| Dynamic | Runtime PDP rule (e.g., approver ≠ initiator, no self-approval) | The toxic act, even if roles get held together |
Wire transfer = maker-checker workflow: INITIATE (maker) → APPROVE (checker, different person) → RELEASE. PDP checks on approval: (1) holds
approve_wire; (2) approver ≠ initiator; (3) ABAC context (managed device/on-net/MFA); (4) amount > threshold ⇒ second approver. A human habit is not a substitute for rule 2.
PDP / PEP (reference monitor, decomposed)
- PDP = brain (decides, holds policy) · PEP = gate (in the request path, imposes verdict).
- Supporting: PIP supplies attributes; PAP is where policy is authored.
- Why split: one consistent policy enforced at many gates (policy lives/changes in one place, not copied into and drifting across many codebases). This is the architecture of zero trust (🔗 Ch.32): PDP = policy engine; PEP = policy enforcement point on every resource.
- Rules: PEP unbypassable (always invoked) · decision fail-closed (deny when PDP unreachable — fail-safe defaults, 🔗 Ch.3) · every decision logged (permit and deny = accounting + a sensor).
When to use what (decision aids)
- Owner-knows-best, low-stakes sharing? → DAC (but keep sensitive data out of free-for-all stores).
- Must prevent flows regardless of owner wishes / confine a process? → MAC (incl. SELinux/AppArmor).
- Scale job-based access across a workforce? → RBAC (roles = job functions).
- Need context (device, time, relationship, risk)? → ABAC conditions on top of RBAC.
- Express "manager can approve but not their own"? → role design + runtime self-approval check.
- Stop one stolen credential from reaching everything? → least privilege + JIT, time-boxed access.
- Find creep on an account? → read across its row; run an automated SoD combination scan.
Mapped frameworks
| Concept | CIS Controls v8 | NIST | CompTIA Security+ | (ISC)² CISSP |
|---|---|---|---|---|
| Access control models (DAC/MAC/RBAC/ABAC) | Control 6 (Access Control Mgmt) | SP 800-162 (ABAC); SP 800-53 AC-2/AC-3 | Domain 1/4 (access control) | Identity & Access Management |
| Least privilege (applied) | Control 6 | SP 800-53 AC-6 | Domain 1/4 | Security Architecture; IAM |
| Segregation of duties | Control 6 | SP 800-53 AC-5 | Domain 4/5 | Security & Risk Mgmt; IAM |
| Account/access reviews | Control 6 (recertification) | SP 800-53 AC-2(j) | Domain 4 | IAM (Security Operations) |
| PDP/PEP, reference monitor | — | SP 800-207 (ZTA: policy engine/PEP) | Domain 3 (architecture) | Security Architecture & Engineering |
| Access control matrix / ACL / capability | Control 6 | SP 800-53 AC-3 | Domain 3 | Security Architecture & Engineering |
RBAC formal model: NIST RBAC standard (ANSI/INCITS 359). ABAC: NIST SP 800-162.
Project additions this chapter
- Meridian program: the access-control policy — RBAC backbone + ABAC conditions; least privilege as default (start at the base role); a defined set of segregation-of-duties rules (forbidden combinations) enforced at provisioning and runtime with self-approval prevention; time-boxed temporary access; periodic access reviews (quarterly for wire/admin/CDE roles, annual otherwise). Hands off lifecycle mechanics to IGA (🔗 Ch.18) and privileged accounts to PAM (🔗 Ch.19).
bluekittoolkit:authz.py—rbac_check(user_roles, action)(permit iff a held role grants the action; the role itself enforces SoD) andabac_eval(attrs, policy)(permit iff every condition is met; fail-closed). Composes into the wire PDP'scan_approve_wireand extends towardzerotrust.py(🔗 Ch.32).
Common pitfalls
- "We have MFA, so access is secure" — MFA is authentication; it does nothing for over-permissioning.
- Treating a role as a person (
Sam_Special_Access) — back to per-user management; abandon RBAC's gain. - Reviewing access one permission at a time — toxic combinations are invisible per-grant; read the row.
- Relying on a human habit (always a different approver) instead of a runtime rule — habits fail.
- Believing clean role definitions prove access is fine — the danger is in accumulated assignments.
- Standing, broad access "for convenience" (support sees all tenants) — one credential theft = full breach.
- Letting the PDP fail open when unreachable — fail closed; deny by default.
- Bottom-up role mining alone — it launders existing privilege creep into official roles.