Least privilege is the foundation—users should have only the permissions they need. A marketing manager doesn't need access to customer payment data. Overly permissive accounts create unnecessary risk.
What is access control
Access control is the set of mechanisms that determine who (identity), what (resource), when (time), where (location), and under what conditions a user can access systems or data. Effective access control implements least privilege—users have only the minimum permissions needed for their job—and follows role-based or attribute-based models. Access control is foundational to confidentiality and compliance.
Why it matters
Weak access control causes most insider incidents and amplifies breach impact. If a compromised account has excessive permissions, an attacker gains broad access. Conversely, well-designed access control limits an attacker's lateral movement and data theft. Access control is also legally required by GDPR (data minimization), HIPAA (role-based access), PCI-DSS, and ISO 27001. Organizations with strong access control recover faster from incidents and face lower compliance costs.
Key points
Authentication (who you are) and authorization (what you can access) are distinct. MFA proves identity; RBAC defines what an authenticated user can do. Both are critical.
Access control must cover all layers: system level (OS user accounts), application level (database roles), network level (firewall ACLs), and data level (encryption + role-based decryption).
Access review is essential—over time, employees change roles, contractors leave, and permissions become stale. Review and revoke permissions quarterly. Automated access reviews (entitlement management) catch orphaned accounts faster than manual processes.
Access control preventing insider risk
A financial services firm implements RBAC where: customer service reps can view account balances but not transactions, fraud analysts can view transactions but not change them, treasury staff can initiate transfers but require dual approval. When a disgruntled CSR's credentials are compromised, an attacker can only view balances—not steal money. The dual-approval requirement on transfers further blocks the attack. Without role-based access control, a compromised account with admin rights could transfer millions. With it, damage is contained.
Common mistakes
- Granting admin access for convenience—users requesting elevated permissions for occasional tasks should use temporary elevated access (sudo, RBAC elevation with approval) instead of permanent admin status. This reduces the attack surface when their accounts are compromised.
- No access review or recertification—organizations that don't periodically review access end up with orphaned accounts (ex-employees still active) and permission creep (users with roles they've outgrown). Implement quarterly access reviews.
- Conflicting duties not separated—same person should not approve their own requests or approve payments they initiated. Segregation of duties is a control that requires access policy design, not just permission management.
Related services
This concept may be related to services such as:
Frequently asked questions
What's the difference between RBAC and ABAC?
RBAC (Role-Based Access Control) defines permissions by role: all managers get the same permissions. ABAC (Attribute-Based Access Control) is more granular, using attributes like department, location, time, and data classification: a manager in Finance can access customer data before 5pm, but a manager in Marketing cannot. ABAC is more flexible but complex to manage. Most organizations start with RBAC and move toward ABAC for sensitive data.
How often should we review access?
Minimum: quarterly. Some organizations review monthly for sensitive systems. Annual review is insufficient—permissions drift quickly. Automated tools that flag unused access or segregation-of-duties violations help. When an employee changes roles, access review should happen within days, not weeks.
What about temporary access (contractors, consultants)?
Temporary access should be time-limited and rights-limited: grant only the permissions needed, set an expiration date, and require re-approval for extensions. Automate revocation at expiration. Many breaches involve contractor accounts that were never disabled after engagement ended.