Access Control Policy

There are three key elements to consider when planning an access control solution: the access control policy, groups and users.

In a small, say home based or small office, scenario it may be tempting to ignore the access control policy and groups and simply configure direct access to resources on a user by user basis. However, once the number of users begins to increase then groups will really help to keep things consistent plus we can ensure that user access control permissions do not drift from what we expect.

The access control policy can be short, or long, depending on requirements and clearly defines which resources are accessible, to what extent they are accessible (read, read/write, delete) and to what extent they are not.

In a typical access control scenario we start with the basis of “deny everything” so that no user (other than an administrator) can access any resource unless their account has been “specifically allowed” as directed by the access control policy.

The access control policy will generally include a general statement which highlights the purpose of the policy, who may amend it and to what extent, and how often it should be reviewed.

The access control policy should be reviewed and verified on a regular basis to ensure it reflects expectation.

The policy may also include a number of other details including:

• Whether generic user accounts are allowed (for example a user account of “marketing” that applies to all members of the marketing department) however these kind of accounts should be limited or denied completely as they pose a potentially major security risk
• Which devices and/or locations are covered by the policy
• Password formats include length of password, frequency of change
• Access instructions relating to any remote systems by local users
• Access instructions relating to local systems by remote users

Once the access control policy is created a list of resources and users can be created in order to allocate appropriate access controls. At this point the use of user groups should be considered particularly if multiple users expect to access similar resources.