1. Home
  2. Training Library
  3. Procedural and people security [CISMP]

User access controls - Part 1

User access controls - Part 1

Sensitive information, in the wrong hands, can be a key to the lock on your organisation's valuables.

One recent example of this comes from a medical packaging company that reported an attack from an employee who was let go in early 2020. It’s reported that he logged back into the company’s computer network, accessed his previous administrator rights and then, in spite, edited and deleted nearly 120,000 records. Your organisation must be able to demonstrate strict adherence to security and access procedures should it hope to keep information, and access, in the right hands. Let’s move on to find out how to do this now.

Close up of ‘Log in’ button with lock icon, on computer keyboard.

Access control models

Not all users are equal.

Authorisation is the function of specifying access rights to resources. To authorise is to define and then execute the terms of an access policy, so a policy might state that only human resources staff are authorised to access employee records. This policy is then implemented as a set of access control rules, potentially based on some kind of technical standards. There are many different types of access models that are in use today, the most important ones are the following:

  • Discretionary Access Control (DAC) - This is where access to resources, such as files and network shares, is determined by the owner of the resource; typically, a user. One particular form of DAC is known as Access Control Lists (ACLs), as used in the Microsoft Windows operating system. You’ll examine a variety of methods for implementing DAC later in this topic.
  • Role-Based Access Control (RBAC) - Access to resources is based on users being a member of a group, where the attributes of the group are used to define the rights of the role. With that in mind, any user can be in the group, and they’ll inherit the access rights of the role. Again, you’ll look at this in more detail later in this topic.
  • Mandatory Access Control (MAC) - Access to a file is based on the classification of the file and the clearance of the user attempting to access the file. Outside of the military and intelligence circles of government, very few systems implement this model and almost always when they do, are deployed to protect data that is deemed SECRET or above. This course doesn’t cover MAC in any more detail as it is extremely complex and not necessary for the foundation level that CISMP is addressing.
  • Attribute-Based Access Control (ABAC) - The Attribute-Based Access Control (ABAC) model is often described as a more granular form of Role-Based Access Control since there are multiple attributes that are required in order to gain access. These attributes are associated with the subject, the object, the action and the environment. For example, a sales rep (subject) may try to access a client’s record (object) in order to update the information (action) from his office during work hours (environment). This approach allows more fine-tuning of access controls compared to a role-based approach. For example, we could deny access based on the environment (e.g., time of day) or action (e.g., deleting records). The downside is that can be more difficult to get these controls up and running. '
  • User attributes - Include things like the user’s name, role, organisation, ID, and security clearance.
  • Environmental attributes - Include the time of access, location of the data, and current organisational threat levels.
  • Resource attributes - Include things like creation date, resource owner, file name, and data sensitivity.

Active Directory logo

Active directory (AD)

The most common security technology within the majority of organisations is Microsoft’s Active Directory, largely because most organisations run their internal network using Microsoft servers, and end user machines run a Microsoft Windows operating system.

Active Directory, or AD, is a Windows OS directory service that facilitates working with interconnected, complex, and different network resources in a unified manner. It’s used to organise and maintain information related to resources that are connected to a variety of network directories. The directories may be systems-based (like Windows OS), application-specific or network resources, such as printers.

AD serves as a single data store for quick data access to all users. It also controls access for users, based on the directory's security policy. AD provides the following network service:

  • Lightweight Directory Access Protocol (LDAP) - An open standard used to access other directory services. This is a security service that uses the principles of Secure Sockets Layer (SSL) and Kerberos-based authentication.

Kerberos is a network protocol that uses secret-key cryptography to authenticate client-server applications. Kerberos requests an encrypted ticket via an authenticated server sequence to use services.

The protocol gets its name from the three-headed dog (Kerberos, or Cerberus) which guarded the gates of Hades in Greek mythology.

Active directory structure

The terms object, organisational unit (OU), domain, tree, and forest are used to describe the way AD organises its directory data. Like all directories, AD is essentially a database management system. The AD database is where the individual objects tracked by the directory are stored. It uses a hierarchical database model, which groups items in a tree-like structure. Each node on the tree is referred to as an object and is associated with a network resource, such as a user or service.

Like any database schema concept, the AD schema is used to specify attributes and types for a defined AD object. This facilitates searching for connected network resources based on those assigned attributes.

For example, if a user needs to use a printer with colour printing capability, the object attribute may be set with a suitable keyword such as ‘Colour Printing’, so that it’s easier to search the entire network and identify the object's location, based on that keyword.

A domain consists of objects stored in a specific security boundary and interconnected in a tree-like structure. You will have encountered the term domain before, likely relating to domain names for websites. The concepts involved are not very different, but here the term is used to mean the extent of the network.

A single domain may have multiple servers, each of which is capable of storing multiple objects. In this case, organisational data is stored in multiple locations, so a domain may contain multiple sites. Each site may have multiple domain controllers for backup and scalability reasons. Multiple domains may be connected to form a domain tree, which shares a common schema, configuration and global catalogue (used for searching across domains). A forest is formed by a set of multiple and trusted domain trees and forms the uppermost layer of the AD.

Users and groups

In many cases, for example, in a Windows environment, user accounts are created with little access to anything other than personal files. So, access rights are assigned by creating functional groupings of capabilities, called user groups. These user groups are then assigned rights to access the asset. This gives each group the privileges they need to perform the tasks on those assets.

If a user needs access to an asset, they’re added to the group, or removed when they no longer need access. This makes administration of the ‘least privilege’ principle straightforward.

There are various methods to explicitly grant access, but system administrators can over-write the access which has been granted implicitly. Role-based access control relates to functional roles within an organisation rather than a person’s individual access. Access rights are assigned to specific roles and a user then has the rights associated with their role, rather than being given rights as an individual user.

File permissions

The degree of protection which can be extended to an individual file system object - a file or a folder - is only limited by the operating system being used. The operating system dictates how specific and bespoke the individual’s or group’s access can be. A Windows system is different to a Linux system, which again is different to Mac OSX.

In a Linux system, the basic degree of protection that can be extended to files and folders from an end-user perspective is based on a three-level approach:

  1. Each file has a creator (also known as an owner) who has full control over that object.
  2. The members of the same default group as the owner can be given specific permissions by the owner.
  3. Other users can also be given specific permissions by the owner in relation to the file or folder.

These permissions then take on one or a combination of attributes - read, write or execute:

  • The read attribute means that the user or group can read the folder contents or the file that the permission is applied to 
  • Write means that the user can change the contents of the folder or file, including the ability to delete it
  • Execute means that the user can run an executable application code, or a script, in that folder. Beneath these three simple attributes, most operating systems allow more granular control

What’s next?

That was part one of user access controls. In part two, you’ll take a closer look at the access control matrix, user lists and authentication factors.


Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.