Authorization, Least Privilege, RBAC, Geofencing, and Time-Based Access
Key Takeaways
- Authorization decides what an authenticated identity can access or change.
- Least privilege grants only the access needed for the approved role or task.
- RBAC maps permissions to roles instead of assigning one-off permissions to every user.
- Conditional access can consider location, device posture, time, risk, and user group.
- Geofencing and time-based access are useful guardrails but should not replace strong authentication and logging.
Authorization and Conditional Access
Authentication proves an identity. Authorization determines what that identity can do. A user can authenticate successfully and still be denied access because they are not in the right role, are connecting from an unapproved location, are using an unmanaged device, or are outside an approved time window.
Least Privilege
Least privilege means an account receives only the permissions needed for the task, no more and no longer than needed. It applies to user accounts, service accounts, administrators, network devices, wireless clients, VPN groups, and cloud identities.
| Poor pattern | Better pattern |
|---|---|
| All IT staff are permanent domain admins | Admins request time-limited elevation for specific systems |
| Every VPN user can reach every subnet | VPN groups map to approved applications and networks |
| Service account can read and write all databases | Service account can access only required database objects |
| Guest Wi-Fi can route to internal systems | Guest Wi-Fi reaches only the Internet |
Privilege creep happens when users keep old access after job changes. A mover workflow and recurring access reviews help remove permissions that no longer match the role.
RBAC
Role-based access control, or RBAC, assigns permissions to roles and assigns users to those roles. It is easier to review and support than assigning many unique permissions directly to individual users.
| Role | Typical access | Denied access |
|---|---|---|
| Help desk | Password reset, endpoint inventory, ticket notes | Firewall rule changes |
| Network operator | Read network monitoring, run approved diagnostics | Identity provider administration |
| Network engineer | Configure assigned switches and routers | Payroll application data |
| Guest user | Internet access only | Internal application subnets |
RBAC works best when role names are understandable, role owners approve membership, and access is reviewed regularly. A group named "NetOps-Switch-ReadOnly" is easier to review than a vague group named "Access-7."
Conditional Access
Conditional access uses context to allow, deny, or challenge an access request.
| Condition | Example decision |
|---|---|
| User group | Engineers can access network management tools |
| Device posture | Managed, encrypted laptops can use full VPN |
| Location | Block logins from countries where the company does not operate |
| Risk score | Require stronger MFA for impossible travel or new device |
| Time | Permit contractor access only during approved support hours |
| Network | Allow admin portals only from a privileged access workstation subnet |
Geofencing is a location-based policy. It can reduce exposure, but it is not perfect because attackers can use proxies or compromised systems in approved regions. Time-based access reduces standing exposure for temporary work, but emergency access and logging still need planning.
Network Authorization Examples
| Scenario | Strong authorization design |
|---|---|
| Remote finance users need one accounting app | VPN group allows only the accounting subnet and port |
| Contractors support a plant network weekly | Time-limited access with MFA and logging during the support window |
| Wireless IoT sensors need cloud telemetry | ACL permits only DNS, NTP, and vendor endpoint traffic |
| Admins manage firewalls | TACACS+ maps named admins to command sets and records activity |
Common Traps
- Authentication success does not imply broad authorization.
- Adding users directly to many permissions makes review harder than role-based groups.
- Geofencing is a useful signal, not proof that a user is legitimate.
- Time-based access should fail closed when the window expires.
- Least privilege must include network reachability, not just application permissions.
A VPN user authenticates successfully but can reach only the accounting application subnet. Which concept is being enforced?
A contractor account is automatically disabled outside a Saturday 08:00 to 12:00 maintenance window. What control is this?
Which choices support least privilege? Select three.
Select all that apply