Authorization and Access Control

Access Control refers to the much more general way of controlling access to web resources, including restrictions based on things like the time of day, the IP address of the HTTP client browser, the domain of the HTTP client browser, the type of encryption the HTTP client can support, number of times the user has authenticated that day, the possession of any number of types of hardware/software tokens, or any other derived variables that can be extracted or calculated easily. Access control mechanisms are a necessary and crucial design element to any application's security.

Types of access controls:-

1. Discretionary Access Control (DAC)- DAC is a means of assigning access rights based on user-specified rules. Its policies are characterized by a high degree of flexibility. The main drawback is their vulnerability to malicious attacks due to which it has no control over how information is propagated. 
2. Mandatory Access Control (MAC)- MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on central authority regulations.
3. Role-Based Access Control (RBAC)- RBAC grants access based on a user’s role and implements key security principles. The role hierarchy in RBAC is a natural way to organize roles to reflect the organization's lines of authority and responsibility. Thus, someone attempting to access information can only access data necessary for their role.
4. Attribute-Based Access Control (ABAC)- In ABAC, each resource and user is assigned a series of attributes. In this dynamic method, a comparative assessment of the user’s attributes, including the time of day, position, and location, are used to make a decision on access to a resource.

Authentication is a method of verifying the identity of a person who is accessing your database. Note that authentication isn’t enough to protect data. An additional layer of security is required, authorization, which determines whether a user should be allowed to access the data or make the transaction he’s attempting. Without authentication and authorization, there is no data security. 

Typical authorization checks involve querying for membership in a particular user group, possession of a particular clearance, or looking for that user on a resource's approved access control list, akin to a bouncer at an exclusive nightclub. Any access control mechanism is clearly dependent on effective and forge-resistant authentication controls used for authorization.