Skip to content

Access Control

Prime #
170
Origin domain
Computer Science & Software Engineering
Also from
Security Intelligence, Statistics & Experimental Design, Law & Governance
Aliases
Authorization, Permissions, Access Management
Related primes
Authentication, Principle of Least Privilege, principal, policy, information security

Core Idea

Access control defines who or what can view, modify, or utilize certain resources, typically using permissions, roles, or credentials to enforce security and privacy.

How would you explain it like I'm…

Who Can Do What

Think of a bouncer at a party. Before letting anyone in, they check the guest list and the rules: who can come, what room they can go in, and what they can do. Access control is the same — it decides who gets to do what with what.

Permission Rules

Access control is how a system decides who is allowed to do which things to which stuff. Maybe a teacher can change grades but students can only read them. Maybe your phone lets your fingerprint open it but blocks everyone else. The system has a list of rules — like a rulebook — that says which people, programs, or devices can read, write, or change which files or actions. A core rule of thumb is least privilege: give everyone only the access they need, and no more.

Authorization System

Access control is the mechanism and policy by which a system decides whether a specific principal — a user, process, service, or device — may perform a specific action (read, write, execute, delete) on a specific resource at a specific moment. It enforces a security policy that separates authorized from unauthorized access, and it is the main technical implementation of confidentiality, integrity, and need-to-know. Access control is different from authentication, which only establishes who you are; access control decides what you, once identified, are allowed to do. The policy — expressed as permissions, roles, attributes, or rules — must be auditable and enforced correctly. A foundational design heuristic is least privilege: grant only the minimum access needed.

 

Access control is the mechanism and policy by which a system decides whether a particular principal (user, process, service, or device) may perform a particular action (read, write, execute, modify, delete) on a particular resource (file, record, endpoint, physical space, function) at a particular moment. It enforces a security policy that separates authorized from unauthorized access and is the primary technical implementation of confidentiality, integrity, and need-to-know. Access control sits downstream of authentication: authentication establishes who or what is acting, access control decides whether that established identity may carry out the requested operation on the requested resource. The policy is expressed through permissions, roles (RBAC), attributes (ABAC), or rule-based logic, and must be both auditable and correctly enforced — bugs in the enforcement layer collapse the policy. A foundational design heuristic is the principle of least privilege: grant only the minimum access a principal needs to do its task, no more and no longer than necessary. Defense in depth then layers access control alongside encryption, monitoring, and segregation so that a single bypass does not expose everything.

Broad Use

  • Operating Systems: File permissions (read, write, execute).

  • Physical Security: Keycards or lock-and-key systems restricting building entry.

  • Corporate Governance: Role-based access to financial accounts or confidential data.

  • Healthcare: HIPAA-compliant patient records, limiting who can view medical data.

Clarity

Clearly separates authorized from unauthorized usage, preventing accidental or malicious misuse of sensitive resources.

Manages Complexity

Establishes structured boundaries (roles, privileges), reducing the risk of overlap, data leaks, or security breaches.

Abstract Reasoning

Encourages policy-based thinking: define rules, roles, and contexts in which certain actions are permitted or denied.

Knowledge Transfer

Access control models apply in software, corporate policies, building security, and even peer review processes (who can read or edit documents).

Example

A version-controlled repository might let contributors submit code changes while only maintainers can approve and merge those changes.

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.Access Controlsubsumption: AuthorityAuthoritysubsumption: ConstraintConstraintcomposition: BoundaryBoundarycomposition: Minimum-Necessary DisclosureMinimum-Necessa…composition: Principle of Least PrivilegePrinciple ofLeast Privilege

Parents (3) — more general patterns this builds on

  • Access Control is a kind of Authority — Access control is a specific kind of authority, exercising legitimate power to grant or deny actions on resources.
  • Access Control is a kind of Constraint — Access control is a specific kind of constraint, restricting admissible principal-action-resource combinations to those satisfying a security policy.
  • Access Control presupposes Boundary — Access control presupposes boundary because deciding who may cross into resources requires a demarcation between inside and outside.

Children (2) — more specific cases that build on this

  • Minimum-Necessary Disclosure presupposes Access Control — The file: minimum_necessary_disclosure operates AFTER authorization — access_control gates who-may-read; this prime governs response-payload breadth under authorized access, projecting surplus at the source. It presupposes access_control (entry is already granted) and bounds what travels.
  • Principle of Least Privilege presupposes Access Control — The file: access_control is 'the mechanism' (the table/policy/gate); least_privilege is 'a normative rule about how to CONFIGURE that mechanism: grant the minimum'. It presupposes the access-control machinery and prescribes its setting.

Path to root: Access ControlAuthority

Not to Be Confused With

  • Access Control is not Governance because governance specifies the durable architecture of authority, accountability, and decision rights through which groups make binding collective decisions; access control is a technical mechanism enforcing authorization policy at the point of resource use—governance distributes legitimate power and accountability; access control mediates execution against a policy.
  • Access Control is not Oversight Capacity because oversight capacity names the structural limit on how many direct subordinates or task-units one overseeing entity can effectively supervise before quality deteriorates; access control specifies an authorization layer determining which principals may perform which actions on which resources—oversight capacity is about supervisory bandwidth; access control is about resource authorization.
  • Access Control is not Delegation of Authority because delegation assigns decision-making power and responsibility from a principal to an agent with clear boundaries and accountability relationships; access control is the enforcement mechanism that determines what actions authenticated principals may execute—delegation creates authority relationships and specifies scope; access control enforces execution against that scope.
  • Access Control is not Transparency because transparency is the disclosure of information to stakeholders for oversight and accountability; access control is the mechanism governing who may read, write, or execute against resources and functions—transparency is about information visibility; access control is about action authorization independent of whether the policy is transparent.
  • Access Control is not Layered Coordination & Oversight because layered coordination is the structural architecture distributing authority and information flow across multiple tiers with different scopes; access control is the enforcement mechanism at each resource boundary determining authorization—layered coordination structures how authority flows and aggregates; access control mediates execution at the point of resource contact.