Access control systems manage authorization identification, authentication, access approval, and entity accountability through login credentials, including passwords, PINs or biometric scans, and credentials physical or electronic keys.
The access control to an information system is generally studied according to the AAA protocol (Authentication Authorization Accounting).
This first phase consists in verifying that the user corresponds to the identity that is trying to connect. The simplest here is to check an association between a password and an identifier, but more sophisticated mechanisms can be used such as smart cards, ...
This phase consists in verifying that the now authenticated user has the necessary rights to access the system. It is sometimes confused with the previous on small systems, but on larger systems, a user can be fully authenticated (ex: member of the company) but not have the necessary privileges to access the system (ex: page reserved for managers).
To fight against the usurpations of rights, it is desirable to follow the accesses to the sensitive computer resources (time of connection, follow-up of the actions, ...).
- Access control modes
The control of access to an information system resource is exercised according to two modes:
- A priori mode
This consists of auditing and configuring the access rights assigned to the users (we speak of "Identity and Access Management" or "Identity & Access Management").
- Posterior mode
This consists of controlling the access rights assigned to users at the time of accessing the system.