Access control concepts (VOCABULARY)

Vocabulary flashcards covering separation of duties, need-to-know vs least privilege, access control approaches, and the four access control services (identification, authentication, authorization, accountability) with their factors.

Separation of duties

Dividing key processes into multiple parts assigned to different people to prevent fraud and errors.

Need to know

Restricts access to data so users can access only the data required for their role.

Least privilege

Restricts a user's actions to only those required to perform their role.

Difference between need to know and least privilege

Need to know focuses on restricting data access; least privilege focuses on restricting user actions.

Centralized approach

Access to multiple applications is managed through one centralized system.

Decentralized approach

Access to multiple applications is managed within each application independently.

Hybrid approach

A combination of centralized and decentralized access control.

Identification

The process where the user asserts their identity to the system (e.g., username).

Authentication

The process of verifying a user’s identity using one of three factors: knowledge, ownership, or characteristic.

Knowledge (authentication factor)

Something you know; information the user memorizes.

Ownership (authentication factor)

Something you have; a token or device used to authenticate.

Characteristic (authentication factor)

Something you are; a biometric trait (e.g., fingerprint).

Authorization

The process of granting a user permission to access resources or perform actions.

Accountability

The ability to trace actions to a specific user, typically via audit logs and records.