What are the Different Types of Data Access Controls?

Data access controls are those that control access to data – simple right? 

Well yes and no. 

The rest of the Access Control domain has been discussing the three primary goals of access control: Authentication, Authorisation and Auditing. 

Similarly, It has considered technical and procedural aspects of access control but ultimately they must relate to data (and other resources).  Data access control in itself is a fair sized chunk and a good chunk of it is considered here:

Discretionary Access Controls and Mandatory Access Controls

These are types of data access controls.

Discretionary and Mandatory are almost opposites. 

Discretionary, in this context, means that it is applied to specific files and data. More precisely is an explicit rule for that particular file.  Presumably, we derive this from the mathematical definition of discreet which essentially means countable or specific.

Mandatory access controls are the other way round, they are applied to the combination of the user and their groups and the data and its classification. However, the opposite bit of this being that it is calculated.

There is a third type “Non-discretionary Access Controls” is rule-based. In addition, this makes it possibly the most flexible type, but as a result of the most management intensive.

Permissions here come in lots of different forms based on OS and software involved.  Permissions to consider are:

• None
• Read (R)
• Write (W)
• Execute (X)
• Delete (D)
• Change (C)
• List (L)
• Full (F)

Access Control Matrix

Access control matrixes are a type of Access Control List (ACL).  It is a table, down one side and across the bottom are all the resources.  The cell where the two resources meet gives the permissions that are applicable.  Useful as a management and design tool.

Rule-Based Access Controls

As it says on the tin.  Basically it is an advanced ACL. Think multi-dimensional rule list.

The example is that Bob has access to view the accounts data, but also specified is that he can only access the servers between business hours.

Role-Based Access Controls

Role base access control (RBAC) is commonly deployes in Microsoft Windows environments. Where user groups define and the network shares that have group permissions that applies to them to dictate access to the files within.

Content-Dependent Access Control

This type of access control is, by nature, going to be quite varied.  Think control by the content of a database field and not some sort of AI that analyses documents. 

An example of Content-Dependent Access Control is a payroll system where a manager can see the staff that is in their department ID.

Constrained User Interface

Most obvious example here is an Intranet or other system that gives users different menus and the ability to perform different actions depending on their access level.

Capability Tables

Very similar to an Access Control Matrix.  This is more three dimensional in that you have the two subjects against the two axis. However, the content of the corresponding cell is descriptive rather than simply boolean.

Temporal Isolation

Time based control.  For example – at lunchtime, it may well be acceptable to use social networking, for the rest of the day though it might not be.

Learn how YGHT can help you improve your cybersecurity