Access Control Design Workshop

Access control questions are often written as workplace stories. A new employee needs access today. A contractor needs temporary access. A database administrator can both approve and deploy changes. A terminated employee still has a VPN account. A manager wants broad access "just in case." Your job is to design access that supports work without creating unnecessary exposure.

Lab Scenario

A regional training company has four teams: instructors, finance, student support, and IT. Instructors need course materials and attendance rosters. Finance needs invoices and payment records. Student support needs student contact details and case notes. IT needs administrative access to maintain systems but should not casually view student financial records. Contractors help for 30 days during enrollment season. The company has had two problems: former contractors retained access, and a finance employee accidentally changed course materials.

Access Design Table

Identification Through Accountability

Identification is claiming an identity, such as a username. Authentication proves the claim, such as a password plus MFA. Authorization determines what the authenticated subject can do. Accountability connects actions to identities through logging, monitoring, and review. Shared accounts weaken accountability because actions cannot be tied to a specific person.

MFA is valuable, but it solves only part of the problem. If every user with MFA is placed in a broad administrator group, authentication improved while authorization failed. If logs exist but no one reviews privileged changes, accountability is weak. A complete design combines all pieces.

RBAC, ABAC, DAC, and MAC

Role-based access control assigns permissions to roles such as Instructor, Finance Analyst, or Help Desk Technician. It works well when job functions are stable. Attribute-based access control uses attributes such as department, device compliance, location, time, data sensitivity, or employment status. It fits more dynamic decisions, such as allowing payroll access only from managed devices during approved hours. Discretionary access control lets resource owners decide who can access their objects.

Mandatory access control uses centrally enforced labels and clearances; it is less common in ordinary business scenarios but important conceptually.

PBQ-Style Drill

If a prompt asks you to place users into groups, start with the job function and then remove exceptions. Do not grant IT blanket business data access just because IT can administer systems. Use separate privileged accounts for administrative work and normal accounts for email and browsing. Require MFA for remote access and privileged roles. Disable accounts promptly when employment or contracts end. Review group membership for sensitive systems.

For the training company, create roles for Instructor, Finance, Student Support, IT Admin, and Contractor Support. Give Contractor Support an expiration date and limited case access. Finance should not edit course materials. Instructors should not see payment details. IT Admin should have platform administration rights, with logging and approval for sensitive actions. That design is more defensible than one "staff" group with broad access.

When an exam answer includes "give everyone access so work is not delayed," reject it unless the question specifically asks for a temporary emergency procedure with approval and review. Security supports the business, but routine convenience does not override least privilege.