Skip to content
July 14, 2025
3 min read time

The importance of authorisation controls (Access Control)

Cyber team exploring authorisation controls

Overview

Access controls are essential in ensuring that only the authorised users are able to access certain resources. However, it may often be difficult to ensure that access controls are granularly restricted. Nonetheless, ensuring that such controls are granular and thorough can mitigate malicious actors, in such instances where compromise of a valid user account occurs, from being able to access various information.

How the principle of least privilege plays an essential role in authorisation controls

The principle of least privilege states that a user should only have the strictly required access privileges to perform their role. This approach promotes the necessity to clearly define a user’s requirements. By doing so, it creates a clearer picture of what access rights are required. Additionally, this can aid in identifying the access groups required when building an application’s authorisation controls. Overall, following this approach can enhance the team’s understanding of the user’s needs, which can then provide a better understanding of the required permissions.

Deny by default

When implementing the access controls, specially when following the principle of least privilege, it is beneficial to create a default behaviour of denying all access. This ensures that instances of unauthenticated access are blocked. Without taking this approach, pages are often blocked post consideration, instead of by default. Therefore, it becomes easier to miss certain pages. Meanwhile, when denying by default, it removes this possibility of error as allow permissions would have to be provided intentionally for the specific groups. This then facilitates the implementation of the principle of least privilege.

Consider Relationship-Based Access Control (ReBAC) methods

Previously, Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) have been used. However, recently Relationship-Based Access Control (ReBAC) that focuses on the relationship between objects (resources). This offer more granular controls, yet in certain applications context, this granularity may be abundant. In such instances, ABAC may be preferred which offers a secure level of granularity. However, in any instance, it is preferred to move away from the RBAC approach as ABAC and ReBAC offers more control over the access rights.

Some of the benefits of ReBAC are:

  • Dynamic and context-aware permissions: ReBAC considers the dynamic relationships between entities, allowing permissions to adapt based on context and specific relationships, providing more granular and flexible control.
  • Policy visualisation: ReBAC often uses graph-based representations to visualize policies, making it easier to understand and manage complex access control scenarios by clearly showing how entities are connected.
  • Granular control: By focusing on relationships, ReBAC allows for more precise control over who can access what. For example, in a document management system, permissions can be based on whether a user is the document owner, a collaborator, or a viewer.
  • Real-world applications: ReBAC is particularly useful in environments where relationships are crucial, such as social media platforms, project management tools, and collaborative workspaces. It ensures that access control policies reflect the actual interactions and connections between users and resources.
  • Adaptability: ReBAC can easily adapt to changes in relationships. For instance, if a user’s role changes or new relationships are formed, the access control policies can automatically update to reflect these changes.
  • Enhanced security: By providing more context-aware and relationship-based permissions, ReBAC reduces the risk of unauthorized access. It ensures that only users with the appropriate relationships can access sensitive resources.

Consider the usage of GUIDs (Globally Unique Identifiers), but do not rely on their uniqueness as an access control

Whilst GUIDs are advised, these should not be used a replacement for access controls. In other words, if a GUID is obtained it should not automatically provide access to a resource. Therefore, a GUID should be used as an additional layer of security, but access rights should still be checked rigorously even if a GUID is valid.

The following are the benefits often associated with GUIDs:

  • Uniqueness: GUIDs are designed to be globally unique, which means they significantly reduce the risk of identifier collisions. This is particularly useful in distributed systems where multiple entities might generate identifiers independently.
  • Security: GUIDs are harder to guess compared to sequential numeric IDs. This makes it more difficult for malicious users to predict and access unauthorized resources by simply incrementing or decrementing a numeric ID.
  • Scalability: GUIDs facilitate easier data merging and replication across different databases or systems. Since GUIDs are unique across all systems, they prevent conflicts that might arise from merging datasets with overlapping numeric IDs.
  • Decoupling: Using GUIDs decouples the identifier from the underlying data structure. This means you can change the internal implementation or move data around without affecting the external references.
  • Consistency: GUIDs provide a stable reference that remains consistent even if the resource is moved or renamed. This ensures that links remain valid over time.

Conclusion

Consider the following when implementing the authorisation controls within an environment:

  • Define clear access policies
  • Use the Principle of Least Privilege (PoLP)
  • Use Attribute-Based Access Control (ABAC) or Relationship-Based Access Control (ReBAC)
  • Implement Multi-Factor Authentication (MFA)
  • Regularly review and update permissions
  • Monitor and log access
  • Implement Just-in-Time (JIT) access
  • Apply access controls to all systems
With a strong set of authorisation controls, it should greatly improve security and provide a barrier for attackers when attempting to access resources.