HARAMAYA UNIVERSITY

College of Computing and Informatics

Department of Information Systems
Course Title: Information system security

GROUP ASSIGNMENT 3
Assignment Title: Access Control

GROUP MEMBERS ID
EYOB ASSEFA ……………………2729/14
EZEDIN HUSSEN …………………2911/14
FITSUM TSEGAYE…………….….2963/14
FUAD MUSA ………………………2970/14
GEDION FIKRE ………………..….3003/14

Instructor: Mrs. Tigist G.

Submission date: Jan 28, 2025 G.C
1. Introduction

Access control is a data security process that enables organizations to manage who is authorized
to access corporate data and resources. Secure access control uses policies that verify users are
who they claim to be and ensures appropriate control access levels are granted to users.
Implementing access control is a crucial component of web application security, ensuring only the
right users have the right level of access to the right resources. The process is critical to helping
organizations avoid data breaches and fighting attack vectors, such as a buffer overflow
attack, KRACK attack, on-path attack, or phishing attack.
Access control security encompasses the tools and processes that restrict access to resources in an
IT infrastructure. Access control systems define the rules and policies that ensure only authorized
entities are allowed to access and perform operations on specific networks or applications. it
protects against unauthorized access, privilege escalation and potential breaches. By
implementing robust access control policies, organizations can improve their overall security
posture and reduce their attack surface.
Using an access control system allows you to manage access or entry to almost anything: file
access, workstation access, printer access and in our case, door, facility, building or office access.
The standard form of today’s access control is an “access card” instead of the key to grant access
to the secured area. In the case of access to larger buildings, the exterior door access is managed
by the building while the interior door - or tenant door access is managed by the individual tenant
company.
Access control enforces both authentication and authorization policies to regulate access.
Authentication verifies the identity of the user, whereas authorization determines whether the user
has the privileges to interact with the asset they are trying to access.
For example, if an employee swipes their card to enter an office building, the access control
system authenticates them by verifying the access card’s credentials. Once authenticated, the
system authorizes the employee's access based on their role or clearance level. If the employee
has the required privileges, the door will unlock, and they will be allowed to enter.
Real-world examples of access control are abundant and vary according to the needs and policies
dictated by the circumstances. At a basic level, users of the same organization are granted access
to shared computing resources based on the roles each user is entitled to within the organization.
An enter prise may be concerned over losing its competitive edge should. its trade secrets become
known to its competitors. A financial institution has every need to confine updates in its records to

1
legitimate transactions only and to protect them from exposure to unauthorized individuals and
institutions. While a patient's medical records may not be of any immediate financial gain, one
cannot put a price to their privacy.
Access control is evolving from its traditional host-centric paradigm to resources and entities that
transact over large networks as wide as the Internet. The low-level access-control privileges of the
basic read and write of information are now moving up a level higher to include attributes that
make up a profile for an entity. These are the elements that mimic real-life user entitlements such
as the privilege of having a banking account, having a credit-card number, or being assigned a
well-defined role. The processes needed to maintain entity profiling gave rise to what is referred
to as identity management, which is indeed a prelude to any access-control mechanism. It is
concerned with the trusted methods of managing and exchanging entity entitlements on various
computing systems and resource managers. Identity management forms the foundation on which
access control is based.

2. What Is an Access Control Matrix?

An access control matrix (ACM) is a model to help visualize what permissions subjects have
for certain resources within a system. It structures who can do what within a system by mapping
subjects against resources. A subject typically designates a user, a role, or a device.
Each matrix cell specifies the levels of access permitted for particular subjects over particular
objects. A subject can be a particular user, group, roles, devices, or whatever things in the system
have permissions over the objects of interest. The layout is essentially a table where the first
column represents the subjects and subsequent columns are the permissions the subject has for
some object, or vice versa.
Using an ACM provides a way to visualize permissions across networks or single systems. By
centralizing permission settings, it becomes easier to control and audit who can access what,
allowing for organizational security. This matrix can show permitted actions on sensitive data,
reducing risk and helping maintain compliance standards.
Here is a simple example of an ACM:
Subject/Object File A File B Application X Database Y
Read, Write, Read,
Admin Execute, Configure Full Access
Delete Write
Manager Read, Write Read Execute Read
Employee Read No Access Execute No Access

2
Guest No Access No Access No Access No Access

3. Components of an Access Control Matrix

 Subjects
Subjects, usually users or processes, in an access control matrix are the entities that request access
to resources. These subjects and their permissions are identified within the matrix as rows or
columns. In more complex systems, subjects may include a large range of users, requiring
management to ensure that the access rules applied are precise and justifiable.
 Objects
Objects are the resources or entities that subjects wish to access, often represented as columns or
rows in a matrix. These can include files, applications, or even network devices, making them
central to system operations. Detailing objects in an ACM means listing each element that
requires protection and the scope of accessible actions for each subject.
 Permissions
Permissions define the specific actions a subject can perform on an object within the ACM. These
actions may include reading, writing, executing, deleting, or configuring resources. Defining
permissions clearly in the matrix ensures that each subject’s access is granularly controlled,
preventing unauthorized actions and supporting compliance with organizational security policies.
Precision in assigning permissions is key to balancing accessibility with risk mitigation.
 Access Rights
Access rights specify the exact level or type of interaction a subject is permitted with an object.
These rights might range from basic read-only access to full administrative control, depending on
the subject’s role and the resource’s criticality. By tailoring access rights to operational needs and
enforcing them systematically through the ACM, organizations can effectively minimize security
vulnerabilities while ensuring smooth operations.

4. How Access Control Works

Access control ensures that only authorized users can access specific resources or perform certain
actions within a system. This process involves several key steps, which can be categorized into
three main phases: Authentication, Authorization, and Enforcement. Here is a detailed
explanation of how access control works:

3
 Authentication
Authentication is the process of verifying the identity of a user, device, or system. It ensures that
the entity attempting to gain access is who they claim to be. Common authentication methods
include:
 Passwords: Users provide a unique password to confirm their identity.
 Biometric Verification: Fingerprints, facial recognition, or iris scans are used to identify
the user.
 Multi-Factor Authentication (MFA): Combines two or more methods, such as a
password and a one-time code sent to a mobile device.
 Tokens and Smart Cards: Physical or virtual tokens provide secure authentication.
 Authorization
Authorization determines what actions an authenticated user can perform or which resources they
can access. It enforces permissions based on predefined policies and rules. Key elements of
authorization include:
 Access Control Lists (ACLs): Define permissions for users or groups to access specific
resources.
 Role-Based Access Control (RBAC): Assigns permissions to roles, which are then
granted to users based on their role within the organization.
 Attribute-Based Access Control (ABAC): Uses attributes (e.g., user role, location, time)
to define access policies dynamically.
 Enforcement
Enforcement is the process of applying access control decisions to ensure that only authorized
actions are allowed. It involves monitoring and blocking unauthorized access attempts.
Components of enforcement include:
 Access Control Mechanisms: Systems like firewalls, database management systems, or
file systems implement access control rules.
 Monitoring and Logging: Records of access attempts are maintained to detect anomalies
and ensure accountability.
 Real-Time Decision-Making: Access requests are evaluated in real time to ensure they
comply with the established policies.
 Example Workflow
a. Login: A user attempts to log in to a system by providing a username and password
(authentication).
b. Verify Identity: The system checks the provided credentials against a database.

4
 c. Policy Check: After authentication, the system evaluates the user's permissions based on
their role or attributes (authorization).
d. Grant/Deny Access: The system either grants or denies access to the requested resource
(enforcement).
e. Log Activity: The access attempt is logged for auditing and monitoring purposes.
 Technologies Used in Access Control
 Identity Providers (IdPs): Services like Microsoft Azure AD, Okta, and Google
Workspace provide authentication and access management.
 Access Control Systems: Firewalls, operating systems, and application-specific controls.
 Biometric Devices: Hardware that supports advanced authentication methods.

5. Implementations of Access Control Matrices

 Global Table Approach

The global table implementation involves creating a table where each row represents a subject and
each column represents an object. Every intersection between a subject and an object specifies the
permissions granted. This centralized scheme simplifies the visualization of access rights and
enables audits and updates across the entire system.
By aggregating permissions into one table, the global approach allows for quick adjustments,
making it appropriate in environments needing frequent updates or detailed control. However, it
can be challenging to manage the scale of the table in large organizations, which requires database
management and optimization techniques to prevent performance degradation and ensure timely
access verification.
 Access Control Lists (ACLs)
Access control lists (ACLs) are another method of implementing access control, where each
object has an associated list specifying the subjects and their corresponding permissions. This list-
based approach can offer more flexibility in managing permissions on a per-object basis, ensuring
control over user-resource interaction within a granular framework.
ACLs are widely adopted, but are now considered a legacy approach. They are easy to implement
but quickly grow unwieldy and become difficult to manage and maintain. Additionally,
maintaining consistency across ACLs requires monitoring to avoid security loopholes.
 Capability Lists
Capability lists support access control by associating each subject with a list of objects and the
permitted actions on them. Here, subjects carry tokens or “capabilities” that prove their access

5
rights, an efficient method to track individual subject permissions and easily update them,
improving security and management flexibility.
This model is suitable in situations where decentralized management of permissions fits the
operational model, allowing subjects or users to manage their access rights alongside central
controls. However, managing capability lists can become complex with many subjects and
resources.

6. How to install access control systems?

Follow these steps to set up an access control system for your organization:

a. Start by performing a thorough assessment of your security posture. Answer questions like:
“Which assets are the most security critical?” “How will I implement strong authentication?”
“How many roles do I need across the organization?” “Which security frameworks do I need
to comply with?”
b. Based on the results of the previous step, choose the type of access control system that you
want to go with.
c. Evaluate available options in the market and select the one that aligns with your requirements.
Consider factors like scalability, adaptability, compatibility (especially with legacy systems)
and ease of use.
d. Deploy and install the access control system. If you choose a software as a service (SaaS)
access control system, you should be able to skip this step.

6
e. Integrate the access control system with all the networks and applications on your
infrastructure.
f. Enroll users and their credentials (e.g., biometrics, access keys) for authentication. Consider
setting up multi-factor authentication (MFA).
g. While adhering to the principle of least privilege, assign access rights and permissions to
roles, users and user groups.
h. Thoroughly test the system to ensure that it’s accurately enforcing all the configured policies.
If possible, simulate different scenarios to identify any potential security gaps.
i. Train your employees and administrators on how to effectively use the access control system.
j. Implement a continuous monitoring system to detect suspicious behavior and stay compliant
with security standards and regulations.

7. Types of Access Controls

There main categories of access control paradigms have emerged: Discretionary. Mandatory, Role
based and Attribute-based
I. Discretionary-access control

 DAC models allow the data owner to decide access control by assigning access rights to rules
that users specify. When a user is granted access to a system, they can then provide access to
other users as they see fit.
 Discretionary-access control centers around the concept of users having control over system
resources. Users as such can transfer access rights to resources under their controls to other
system users in a discretionary fashion Control over a resource can be implicit by way of
owning the resource or can be explicitly granted through a chain of commands, all of which
involve discretion as well as the necessary access permissions that permit the dissemination
of access rights. Users therefore gain access to a resource if they create it if they are an
administrator of the system, or if some other entity has conferred access to them. The essence
of DAC is the propagation of access right at the discretion of resource owners and
authoritative entities. Depending on the type of permissions being propagated, the cumulative
effect from incremental changes in the protection state of a system can be unbounded.

7
In contrast to DAC, a mandatory-access control is used when the protection decisions are not
made by the owner of an object. RBAC is the paradigm that closely mimics real-world processes.
We devote an entire chapter to RBAC, but a brief description of it follows in the next section.

8
II. Role-Based Access Control

 RBAC creates permissions based on groups of users, roles that users hold, and actions that
users take. Users are able to perform any action enabled to their role and cannot change the
access control level they are assigned.
 Role-based-access control (RBAC) has emerged as an alternative to discretionary-and
mandatory-access policies. RBAC regulates access to resources. systems, and business
processes based on the role of the acting subject. Similar to the real-world definition, a role is
an abstraction that encapsulates a set of responsibilities along with corresponding allowable
operations Unlike discretionary- or mandatory-access paradigms, in RB are assigned to roles
instead. RBAC appears to move access-Controls a level higher that allows it to be policy
neutral.
 The access-matrix model directly manipulates access rights in that granting or revoking
access to a resource explicitly refers to a particular permission.This approach yields a fine-
grain level of control where each access type and its required permissions are related by a
mapping that can be one-to-one at the finest level. For example, the read permission clearly
means one can view the information contained in a resource but not modify it or add to it. To
allow for updates, a new access right such as write or append is needed. Although this
approach offers the advantage of fine-tuning an access control policy to accommodate any
level of access needed, it it can be costly to manage. The inherent cost factor becomes
apparent with the increase in the number of managed users and resources. Furthermore, the
effects from resources removed or added to the system as well as users leaving and joining an
organization or simply changing job functions adds up to the complexity and overhead of
maintaining such policy.

For example, assigning an employee to a new function may require revoking his or her access
rights to a large number of resources that are no longer needed for the tasks required by the new
position.

 The notion of user groups was introduced to alleviate some of these issues. Users sharing
similar access to the same resources become members of a single group. The group as a
single entity is then granted or denied access to the managed resources, Access decisions take
into account the fact that a user is a member of one group or another. Grouping users is
certainly one important aspect in addressing the scale of manageability in access-control

9
 systems but alone is not sufficient, In addition to user groups, another important dimension in
the manage ability of access controls is the grouping of access rights. Following on the
concept of managing users that share similar access capabilities es as a unit, role-based access
control evolves around the idea of grouping access rights pertinent to a particular
functionality into a role abstraction.
III. Mandatory access control (MAC)

 MAC places strict policies on individual users and the data, resources, and systems they want
to access. The policies are managed by an organization’s administrator. Users are not able to
alter, revoke, or set permissions.
 It is a method or access control policy aimed at restricting access to a resource (also known as
an object) based on two key factors: the sensitivity of the information contained in that
resource and the authorization level of the user trying to access that resource and its
information.
 Security teams or admins define whether a resource is sensitive or not by applying a security
level, such as "Restricted," "Confidential," "Secret," or "Top Secret," to it and assigning the
resource to a security category, such as "Department M" or "Project X." Together, the
security level and security category constitute the security label. Admins also assign
a security clearance level to each authorized user to determine which resource they can
access.
 Once the label is applied and the MAC policy is finalized, users can only access those
resources (or the information within resources) that they are entitled to access. For example,
User A may be entitled to access the information within a resource labeled "Department M
Restricted," but User B may not have the same authority. Similarly, User B may be entitled to
access the resource labeled "Project X Confidential," but User A may not be authorized to do
so.

MAC is an important method of data access control. It is often used to protect information which
if compromised or loss may cause damage to the organization. This information may be private,
sensitive, confidential or restricted. Examples include the following:
 Trade secrets.
 Blueprints.
 Strategic or merger and acquisition plans.
 Intellectual property.

10
 Personally identifiable information.
 Financial information and transactions.
 Protected health information.
 Customer information.

11
IV. Attribute-based access control (ABAC)

 ABAC is a dynamic, context-based policy that defines access based on policies granted to
users. The system is used in identity and access management (IAM) frameworks.
 It is an authorization paradigm that defines access control policies according to attributes like
resource, object, environment, and user attributes. ABAC uses Boolean logic to create access
rules containing if-then statements, which define the user, the request, the resource, and the
action. For example, if the requester is an accountant, then allow read-write access to
financial data.
 ABAC enables organizations to create dynamic, context-aware access control policies using
specific attributes according to unique business needs and compliance requirements.
Implementation of ABAC was announced as a Priority Objective for implementation by the
US Federal Government, and the National Institute of Standards and Technology (NIST)
issued a set of standard guidelines that define how to implement ABAC in an enterprise
environment.

 ABAC offers several key advantages over traditional access control models:
 Granular control: ABAC provides fine-grained access control by evaluating multiple
attributes, enabling organizations to define highly specific access policies. This ensures
that only authorized users can access particular resources under precise conditions.
 Flexibility and scalability: ABAC policies can adapt to a wide range of scenarios
without requiring constant adjustments. As attributes can be dynamically assigned and
updated, ABAC scales efficiently with organizational changes, new user roles, and
evolving security requirements.
 Context-awareness: By considering environmental attributes such as time, location, and
device, ABAC enhances security through context-aware decision-making. This helps in
mitigating risks associated with unauthorized access attempts from unusual locations or
during odd hours.
 Improved compliance: ABAC facilitates compliance with regulatory requirements by
allowing organizations to implement stringent access controls and audit trails. Policies
can be crafted to ensure that access to sensitive information is restricted according to legal
and organizational mandates.
 Reduced role explosion: Unlike role-based access control (RBAC), which can suffer
from “role explosion” due to the need to create numerous roles for various scenarios,

12
 ABAC reduces the complexity by leveraging attributes. This simplification leads to fewer
roles and more manageable policies.

8. Access Control Policies and Models

Access control policies and models define the rules and structures that govern how access is
granted to resources. They provide a framework for implementing and managing access control in
systems and organizations. Here are the key policies and models:

8.1 Access Control Policies

 Discretionary Access Control (DAC):

o Allows resource owners to decide who can access their resources.
o Based on user identities and predefined access rules.
o Commonly used in file systems where owners can set permissions.
o Advantage: Flexible and easy to implement.
o Disadvantage: Susceptible to unauthorized privilege escalation.
 Mandatory Access Control (MAC):
o Access is controlled by a central authority based on security labels.
o Users and resources are assigned classification levels (e.g., confidential, secret).
o Enforces strict access rules, often used in military and government environments.
o Advantage: Provides high security.
o Disadvantage: Less flexible and complex to manage.
 Role-Based Access Control (RBAC):
o Permissions are assigned to roles, and users are assigned to roles.

13
 o Simplifies management by focusing on job functions rather than individual users.
o Advantage: Scalable and suitable for large organizations.
o Disadvantage: Requires well-defined roles and careful management.
 Attribute-Based Access Control (ABAC):
o Access is granted based on attributes of the user, resource, or environment (e.g.,
user role, time of access).
o Policies are dynamic and highly customizable.
o Advantage: Flexible and context-aware.
o Disadvantage: Complex to implement and maintain.

8.2 Access Control Models

 Access Control Matrix (ACM):

o A tabular representation of subjects (users) and objects (resources) with associated
permissions.
o Provides a clear and straightforward view of access rights.
 Bell-LaPadula (BLP) Model:
o Focuses on confidentiality.
o Enforces "no read-up" and "no write-down" rules to prevent unauthorized
information flow.
o Commonly used in systems requiring high confidentiality, such as government
databases.
 Biba Integrity Model:
o Focuses on data integrity.
o Enforces "no write-up" and "no read-down" rules to prevent data corruption.
o Suitable for systems where data accuracy is critical.
 Clark-Wilson Model:
o Emphasizes well-formed transactions and separation of duties.
o Ensures data integrity by enforcing control over modification and access to data.

14
9. Multilevel Security Models

Multilevel security models address the need to protect information of varying sensitivity levels
while ensuring appropriate access for users with different security clearances. Two prominent
multilevel security models are:

9.1 Bell-LaPadula (BLP) Model

 Focus: Confidentiality.
 Key Principles:
o No Read-Up (Simple Security Property): Users cannot read data classified at a
higher security level than their clearance.
o No Write-Down (*-Property): Users cannot write data to a lower security level,
preventing information leaks to less secure domains.
 Use Case: Commonly used in military and government systems where protecting
classified information is critical.
 Advantages:
o Strong enforcement of confidentiality.
o Prevents unauthorized access to sensitive data.
 Disadvantages:
o Does not address integrity or availability.
o Can be restrictive and challenging to implement in dynamic environments.

9.2 Biba Integrity Model

 Focus: Integrity.
 Key Principles:
o No Write-Up: Users cannot write data to a higher integrity level, ensuring that
lower-integrity information does not corrupt higher-integrity data.
o No Read-Down: Users cannot read data from a lower integrity level to prevent
contamination of trusted systems.
 Use Case: Suitable for applications where maintaining data accuracy and reliability is
essential, such as financial or healthcare systems.

15
  Advantages:
o Ensures the integrity of critical data.
o Prevents corruption from untrusted sources.
 Disadvantages:
o Does not address confidentiality.
o Implementation can be complex in systems with mixed integrity requirements.

10. Advantages and Disadvantages (Challenges) of Access Control

Access control systems provide numerous benefits, but they also come with challenges. Below are
the key advantages and disadvantages:

10.1 Advantages:

 Enhanced Security:
o Ensures that sensitive data and resources are accessible only to authorized users.
o Reduces the risk of data breaches and unauthorized access.
 Regulatory Compliance:
o Helps organizations meet legal and regulatory requirements, such as GDPR,
HIPAA, and ISO 27001.
 Scalability:
o Modern access control systems like RBAC and ABAC are scalable, making them
suitable for large organizations.
 Flexibility:
o Attribute-based models allow for dynamic and context-aware access control.
 Auditability:
o Logging and monitoring features provide detailed records of access attempts,
enhancing accountability.

10.2 Disadvantages (Challenges):

 Complexity in Implementation:
o Designing and managing access control systems, especially ABAC, can be
challenging and time-consuming.

16
 High Initial Costs:
o Implementing advanced systems like biometric or ABAC solutions requires
significant investment in technology and infrastructure.
 User Resistance:
o Introducing stricter access controls may face resistance from users, especially if
they perceive it as inconvenient.

17
  Risk of Misconfigurations:
o Misconfigured access control policies can lead to unintended security
vulnerabilities or overly restrictive access.
 Maintenance Overhead:
o Regular updates and audits are needed to keep access control systems effective,
which can be resource-intensive.
 Insider Threats:
o Even with robust access control systems, authorized users with malicious intent
can exploit their access to compromise security.

11. Access Control Software

Access control software plays a critical role in implementing and managing access control
within an organization. These tools streamline the enforcement of access policies, improve
efficiency, and ensure security. Commonly used access control software includes:
 Microsoft Azure Active Directory (Azure AD):
o Provides identity and access management for cloud and on-premises applications.
o Supports single sign-on (SSO), multi-factor authentication (MFA), and role-based
access control (RBAC).
 Okta:
o A cloud-based identity management solution offering SSO and MFA.
o Enables integration with various third-party applications.
 IBM Security Verify:
o Offers identity governance, SSO, and adaptive access capabilities.
o Provides risk-based authentication and compliance reporting.
 RSA SecurID:
o Focuses on secure authentication and identity assurance.
o Includes MFA, risk-based analytics, and centralized management.
 Oracle Identity Cloud Service:
o Combines identity governance with cloud access management.
o Offers a unified platform for managing user access.

18
12. Implementing Access Control

Implementing access control requires a structured approach to ensure its effectiveness. Key
steps include:
 Assess Organizational Needs:
o Identify critical assets and determine the level of protection required.
o Evaluate regulatory compliance requirements.
 Choose an Access Control Model:
o Select a model (e.g., RBAC, ABAC) that aligns with the organization's needs.
 Define Access Policies:
o Create policies based on roles, attributes, or security levels.
o Ensure policies are clear, enforceable, and regularly reviewed.
 Deploy Access Control Mechanisms:
o Implement authentication and authorization systems.
o Use tools such as firewalls, IdPs, and access management software.
 Train Employees:
o Educate users on the importance of access control and how to comply with
policies.
 Monitor and Audit:
o Regularly monitor access logs to detect anomalies and potential threats.
o Conduct periodic audits to ensure compliance and identify areas for improvement.
 Update Policies and Systems:
o Adapt to changing security requirements and emerging threats.

19
Conclusion

Access control is a fundamental aspect of modern cybersecurity, ensuring that only authorized
users can access sensitive data and resources. By implementing robust policies, models, and tools,
organizations can mitigate risks, enhance security, and comply with regulatory requirements.
However, the effectiveness of access control depends on regular monitoring, updates, and user
education. As technology and threats evolve, access control systems must adapt to provide
reliable protection.

20
References

1. Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley.

2. NIST. (2020). Access Control Overview. National Institute of Standards and Technology.
Retrieved from https://www.nist.gov
3. Sandhu, R., & Samarati, P. (1994). "Access Control: Principles and Practice." IEEE
Communications Magazine.
4. Microsoft Azure AD Documentation. (2025). Retrieved from https://docs.microsoft.com
5. Okta Identity Cloud. (2025). Retrieved from https://www.okta.com

21