Guide: Access Control

Access Control Policies: Definitions & Types

Today, most business proceedings are based on bulks of data and information, meaning there is a constant need to deal with data security, and specifically data access. Without essential security measures in place, it is almost impossible to function effectively as an organization. You need to define who can access what data and under which conditions. This is where access control policies come in.

But first, what is an access control policy? As the name suggests, these are sets of policies, instructions, and restrictions that are in place which specify who can access your data, when they can do so, and up to which level. These policies need to be implemented accordingly at all levels of the organization.

Access control policies need to be applied for all people accessing data in the organization, including data consumers, data producers, and other data stakeholders. These individuals may include your employees, partners, contractors, or interns.

This article provides a comprehensive overview of access control policies along with some significant practical aspects to consider. We will be covering the following topics (Feel free to jump to the section of your choice):

This article is part of our complete access control guide.

Let’s get started!

The Purpose of Access Control Policies

Here are a few benefits associated with having clear access control policies in place:

  1. These policies help you ensure that you meet regulatory compliance requirements.
  2. They reduce security risks, as they define restrictions according to a risk assessment of business value and impact.
  3. They make it easy to identify potential causes of any failures or attacks, as the standards are already laid out and distributed across the organization.

Types of Access Control Policies

Generally speaking, you can define these policies in terms of administrative, physical, and technical or logical access control policies. Administrative policies are responsible for setting up the policies that will be implemented across the entire organization. Administrative policies are a combination of the other two policies. The physical access control limits the user’s access to specified physical locations in the office. Lastly, the technical access control deals with the policies defined for company data, systems, and information storage components.

If we dive deeper into the technical, or logical, access control policies, we can break them into four categories:

Mandatory Access Control

Access controls which are based on the rules and regulations set up by the authority. In other words, the access remains only with the owner and overseers.

Discretionary Access Control

Access control policies which are decided by the data owner. The business owner themselves decides the number of people and level of access to data.

Role-Based Access Control

Access controls which are based on the roles of individuals. For instance, people in  higher authority roles may have more privileges compared to the lower-level management. This distinction makes business processes consistent and straightforward for individuals.

Read our dedicated RBAC guide here.

Rule-Based Access Control

Not to be confused with Role-Based Access Control, this access control is an addition to other policies where certain rules are defined based on business processes and infrastructure for the access control standards.

Policy-Based Access Control

Policy-based access control is a combination of role-based access control and business policies. It is different from role-based access control, where all privileges and access controls are solely decided based on an individual’s roles because, in policy-based access control, roles and policies are both important components of access control.

They usually exist in the forms of conditions. For example, if the condition is satisfied, where the condition is the combination of role and policy, grant a specific access to the user.

For example, you may want to define the access control policy for a customer success manager (the role). Now, you can add more attributes or policies to it such as, ‘if the user is a customer success manager and is accessing the Customer Demographics Dataset in office hours, then grant access to Customer Demographics data.’

Access Control Policies to Data

This discussion brings us to the question:how and why do access control policies define the security of data in an organization? The consideration here is simply that limiting data access for people based on specific policies and standards makes the chances of data loss, data exposure, or data misuse almost none. 

However, data access policies should be determined by the relevant stakeholders (such as security teams, data governance teams, data services teams, and others) in a thorough discussion. The policies should be as transparent and deterministic as possible.

Examples of Access Control Policies on Data

Some of the examples of access control policies on data are as follows:

  1. A policy may restrict users to only access sensitive data and information from the office or during their shift timings and from the IP address of office systems.
  2. A policy can be designed to allow data analysts to access data only by using specific BI tools like Redshift or Tableau to reduce the open access programmatically.
  3. A policy can allow access to sensitive data for all teams but only in masked conditions. Specific teams can be allowed access to the decrypted information.
  4. A policy can allow only the owner of the organization to access sensitive information.
  5. A policy may keep data of different sensitivities on distinctive platforms where access to each of them is provided to the specified member based on need, while the rest of the data is kept safe.

Access Control Standards

The standards of access control can be defined as per the organization’s associated goals. However, there are also some international and industrial standards that define the quality and implementation level of access control policies of an organization.

Conclusion

Access control policies help define the standards of data security and data governance for organizations. They set up the level of access to sensitive information for users based on roles, policies, or rules.

Learn here about how Satori helps apply security policies (such as RBAC and ABAC) at scale and across all data platforms, including data warehouses and databases. In addition, you can read here about our key capabilities: