Access control is the process of restricting who or what can view, use, or change systems, applications, data, and physical resources. It matters because organizations cannot protect sensitive assets if they do not control access to them.
What is Access Control?
In cybersecurity, access control defines how identities, devices, processes, and roles are allowed or denied entry to specific resources. It applies to applications, networks, cloud services, endpoints, databases, and physical facilities.
Strong access control reduces unauthorized activity, limits accidental exposure, and supports accountability by tying actions to approved users and permissions.
Common Access Control Types
Common models include role-based access control, attribute-based access control, discretionary access control, and mandatory access control. Organizations often combine multiple models depending on the environment and sensitivity of the resource.
Access Control vs. Authentication
Authentication confirms identity, while access control determines what that identity is allowed to do after login. One proves who you are; the other limits what you can reach.
Frequently Asked Questions
Why does access control fail in practice?
It often fails because of overbroad permissions, weak account hygiene, stale accounts, poor role design, and a lack of regular access reviews.
Is access control only a technical issue?
No. It also depends on governance, policy, onboarding, offboarding, approval workflows, and business ownership of sensitive resources.
