Understanding Access Control Functions

Access control is a process by which a user is granted access to the system or information. In access control there are identification, authorization, authentication and audit. Access control has a subject (user) that tries to gain access from Object (software) stored on the ACL (access control list). ACL is a list of access controls containing permissions and data to which the user is granted such permissions. Permitted data can only be accessed by some users who have been granted access to access and of course is controlled by access control. In this case it may require administrators to secure information and set the right to what information can be accessed and when the information is accessible. At this time we will discuss access control based on the principle, model and technology.

Access Control has several principles:

Principle of least privilege

If there is no configuration for the user especially specifically like the individual or group, where the user is located etc., the user should not be able to access that information.

Separation of Duties

Separate the access area to reduce unauthorized data modification to the assets or information of an organization.

Need to Know

This principle is based on the concept of each user who will be given access only to the information they need just to perform the task.

Access control based on model:

Discretionary Access Control

Is a control access model that is set according to the owner’s wishes placed on an ACL (access control list). Using this model is a configuration of granting access based on the user’s needs.

Mandatory Access Control

This model is a highly structured and rigorous model. Users are granted access permissions by classifying the subject (secret, top secret, confidential etc.) and this classification also applies to objects.

Role Based Access Control (RBAC)

Access control is based on user tasks and uses the administrator control to ensure interaction between subject and object.

Rule set Based Access Control (RSBAC)

Access control is specific to the object to be accessed by the user.


Represents the List of Users granted permission to access the object.

Token Based

Single Sign-On: A technology that allows a user to input a single command to access all primary and secondary network resources.

Kerberos: An authentication protocol that works based on symmetric cryptographic keys used in UNIX systems and becomes the authentication method for windows 2000.

SESAME (Secure European System for Application in a Multi-vendor Environment): SSO Technology developed for Kerberos enhancements that use cryptographic techniques to protect data exchange and to authenticate subjects to the network.

Access Control based on authentication protocols are:

Password Authentication Protocol (PAP)

It is the most standard authentication form where the authentication uses the username and password transmitted to the system and then matched with the username and password in the database. The weakness of this authentication is the username and password sent to the system without any encryption first.

Challenge Handshake Authentication Protocol (CHAP)

Almost the same as the PAP authentication process, the difference is when the username and password are sent to the CHAP system using encryption using MD5 algorithm making it more secure.

Access Control Access Control System (TACACS)

An authentication protocol that is open source, which is quite famous is TACACS +. TACACS + is the result of modifications made by cisco as proprietary protocol cisco. TACACS + is a centralized authentication process for users who want to gain access to a cisco router. Service TACACS + is stored in a TACAS + daemon database that runs on UNIX, Windows NT and Windows 2000 operating systems. TACACS + provides separate and modular authentication, authorization and accounting features so that it is more flexible in configuring the issues.


It is a network security protocol used to process Authentication, Authorization and Accounting centrally on a network. Radius in this network is applied with client server model, where Radius server function as authentication and authorization of client by requesting user name and password which then matching with existing data in database server radius.