WebSecurity
Home About Learn Threats Best Practices Resources Contact

Access Control & Authorization

Implement proper authorization mechanisms to control user access to resources and enforce security policies.

Explore Access Control

What is Access Control?

Access control is the process of granting or denying specific requests to access resources, data, or functionality within a system. It determines what authenticated users are allowed to do and which resources they can access.

While authentication verifies "who you are," authorization determines "what you can do." Proper access control is essential for implementing the principle of least privilege and protecting sensitive information.

Access Control Models

Role-Based Access Control (RBAC)

Access permissions are assigned to roles rather than individual users. Users are then assigned to appropriate roles.

  • Simplifies permission management
  • Easy to audit and maintain
  • Common in enterprise systems

Attribute-Based Access Control (ABAC)

Access decisions are based on attributes of the user, resource, action, and environment using policies.

  • Fine-grained control
  • Dynamic and context-aware
  • Complex to implement

Discretionary Access Control (DAC)

Resource owners determine who can access their resources and what permissions they have.

  • Flexible and user-controlled
  • Common in file systems
  • Can lead to permission sprawl

Mandatory Access Control (MAC)

Access decisions are made by a central authority based on predefined security labels and policies.

  • Highly secure
  • Used in military/government
  • Rigid and complex

Access Control Best Practices

Implement Principle of Least Privilege

Grant users only the permissions they absolutely need to perform their tasks. Regularly review and remove unnecessary privileges to minimize the attack surface.

Use Server-Side Authorization

Always perform access control checks on the server-side. Client-side controls can be bypassed and should only be used for user experience, not security.

Deny by Default

Start with a default-deny policy where access is denied unless explicitly granted. This prevents accidental exposure of resources and follows security best practices.

Implement Proper Session Management

Ensure sessions are properly invalidated on logout, have reasonable timeout periods, and use secure session storage mechanisms to prevent session hijacking.

Regular Access Reviews

Conduct periodic reviews of user permissions and access rights. Remove access for users who no longer need it, especially when roles change or employees leave the organization.

Common Access Control Vulnerabilities

Broken Access Control

Critical

Users can access unauthorized functionality or data by modifying requests or URLs.

Mitigation: Server-side authorization checks

Insecure Direct Object References

High

Attackers can access objects directly by manipulating references without authorization checks.

Mitigation: Indirect reference maps, authorization

Privilege Escalation

Critical

Users gain higher-level permissions than intended, either vertically or horizontally.

Mitigation: Proper role separation, input validation

Missing Function Level Access Control

High

Access controls are not consistently applied to all server-side functions and endpoints.

Mitigation: Centralized authorization middleware

Implementation Examples

RBAC Implementation (Node.js)

                            
// Role definitions
const ROLES = {
    ADMIN: 'admin',
    MODERATOR: 'moderator',
    USER: 'user'
};

// Permission matrix
const PERMISSIONS = {
    [ROLES.ADMIN]: ['read', 'write', 'delete', 'manage_users'],
    [ROLES.MODERATOR]: ['read', 'write', 'delete'],
    [ROLES.USER]: ['read', 'write']
};

// Authorization middleware
function requirePermission(permission) {
    return (req, res, next) => {
        const userRole = req.user.role;
        const userPermissions = PERMISSIONS[userRole];
        
        if (!userPermissions || !userPermissions.includes(permission)) {
            return res.status(403).json({ error: 'Insufficient permissions' });
        }
        next();
    };
}

// Usage in routes
app.delete('/api/users/:id', 
    requirePermission('manage_users'), 
    deleteUserHandler
);

ABAC Implementation

                            
// Attribute-based policy engine
class ABACEngine {
    constructor() {
        this.policies = [];
    }
    
    addPolicy(policy) {
        this.policies.push(policy);
    }
    
    canAccess(user, resource, action, environment = {}) {
        return this.policies.some(policy => 
            this.evaluatePolicy(policy, user, resource, action, environment)
        );
    }
    
    evaluatePolicy(policy, user, resource, action, environment) {
        // Evaluate user attributes
        const userMatch = this.evaluateConditions(policy.userConditions, user);
        const resourceMatch = this.evaluateConditions(policy.resourceConditions, resource);
        const actionMatch = policy.actions.includes(action);
        const environmentMatch = this.evaluateConditions(policy.environmentConditions, environment);
        
        return userMatch && resourceMatch && actionMatch && environmentMatch;
    }
    
    evaluateConditions(conditions, attributes) {
        return Object.entries(conditions).every(([key, expected]) => 
            attributes[key] === expected
        );
    }
}

// Example policy
const documentPolicy = {
    userConditions: { department: 'finance' },
    resourceConditions: { classification: 'confidential' },
    actions: ['read'],
    environmentConditions: { time: '9:00-17:00' }
};

Additional Resources

OWASP Access Control Guide

Comprehensive guide to implementing secure access control mechanisms.

Visit Resource →

NIST Access Control Guidelines

Official guidelines for access control systems and implementations.

Visit Resource →