What is access control?
Access control is a core element of security that formalizes who is allowed to access certain apps, data, and resources and under what conditions.
Different types of access control
There are four main types of access control—each of which administrates access to sensitive information in a unique way.
Discretionary access control (DAC)
In DAC models, every object in a protected system has an owner, and owners grant access to users at their discretion. DAC provides case-by-case control over resources.
Mandatory access control (MAC)
In MAC models, users are granted access in the form of a clearance. A central authority regulates access rights and organizes them into tiers, which uniformly expand in scope. This model is very common in government and military contexts.
Role-based access control (RBAC)
In RBAC models, access rights are granted based on defined business functions, rather than individuals’ identity or seniority. The goal is to provide users only with the data they need to perform their jobs—and no more.
Attribute-based access control (ABAC)
In ABAC models, access is granted flexibly based on a combination of attributes and environmental conditions, such as time and location. ABAC is the most granular access control model and helps reduce the number of role assignments.
How to implement access control
Connect on goals
Align with decision makers on why it’s important to implement an access control solution. There are many reasons to do this—not the least of which is reducing risk to your organization. Other reasons to implement an access control solution might include:
• Productivity: Grant authorized access to the apps and data employees need to accomplish their goals—right when they need them.
• Security: Protect sensitive data and resources and reduce user access friction with responsive policies that escalate in real-time when threats arise.
• Self-service: Delegate identity management, password resets, security monitoring, and access requests to save time and energy.
Select a solution
Choose an identity and access management solution that allows you to both safeguard your data and ensure a great end-user experience. The ideal should provide top-tier service to both your users and your IT department—from ensuring seamless remote access for employees to saving time for administrators.
Set strong policies
Once you’ve launched your chosen solution, decide who should access your resources, what resources they should access, and under what conditions. Access control policies can be designed to grant access, limit access with session controls, or even block access—it all depends on the needs of your business.
Some questions to ask along the way might include:
• Which users, groups, roles, or workload identities will be included or excluded from the policy?
• What applications does this policy apply to?
• What user actions will be subject to this policy?
Follow best practices
Set up emergency access accounts to avoid being locked out if you misconfigure a policy, apply conditional access policies to every app, test policies before enforcing them in your environment, set naming standards for all policies, and plan for disruption. Once the right policies are put in place, you can rest a little easier.
Learn more about Microsoft Security
Access control for individuals
Enable passwordless sign-in and prevent unauthorized access with the Microsoft Authenticator app.
Access control for business
Protect what matters with integrated identity and access management solutions from Microsoft Security.
Access control for schools
Provide an easy sign-on experience for students and caregivers and keep their personal data safe.
Microsoft Entra ID
Safeguard your organization with identity and access management (formerly known as Azure Active Directory).
Microsoft Entra Permissions Management
Gain enterprise-wide visibility into identity permissions and monitor risks to every user.
In the field of security, an access control system is any technology that intentionally moderates access to digital assets—for example, networks, websites, and cloud resources.
Access control systems apply cybersecurity principles like authentication and authorization to ensure users are who they say they are and that they have the right to access certain data, based on predetermined identity and access policies.
Cloud-based access control technology enforces control over an organization's entire digital estate, operating with the efficiency of the cloud and without the cost to run and maintain expensive on-premises access control systems.
Access control helps protect against data theft, corruption, or exfiltration by ensuring only users whose identities and credentials have been verified can access certain pieces of information.
Access control selectively regulates who is allowed to view and use certain spaces or information. There are two types of access control: physical and logical.
- Physical access control refers to the restriction of access to a physical location. This is accomplished through the use of tools like locks and keys, password-protected doors, and observation by security personnel.
- Logical access control refers to restriction of access to data. This is accomplished through cybersecurity techniques like identification, authentication, and authorization.
Access control is a feature of modern Zero Trust security philosophy, which applies techniques like explicit verification and least-privilege access to help secure sensitive information and prevent it from falling into the wrong hands.
Access control relies heavily on two key principles—authentication and authorization:
- Authentication involves identifying a particular user based on their login credentials, such as usernames and passwords, biometric scans, PINs, or security tokens.
- Authorization refers to giving a user the appropriate level of access as determined by access control policies. These processes are typically automated.