In general, computer access control includes four phases: authorization; authentication; access approval; and auditing. Authorization is the function of specifying access rights to resources. For example, a human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. Authentication is the act of confirming the truth of an attribute that is claimed true by an entity (e.g., whether or not the entity is an authorized entity). Access approval is the act that grants or rejects access during access control operation. Authentication and access approval are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens can include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems. Auditing is the act of analyzing a chronological record of operations and/or event to, at least in part, detect security incidents and security violations.
Mandatory access control (MAC) and discretionary access control (DAC) are two types of access controls. In a mandatory access control system, the access control decision is contingent on verifying the compatibility of the security properties of data and the clearance properties of an individual (or a process proxying for the individual). In general, the decision depends on the integrity of metadata that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. Discretionary access control is a type of access control that restricts access to resources based on the identity of an individual (or a process proxying for the individual) and/or a group to which the individual belongs. The access controls are discretionary in the sense that an individual who is authorized to have certain access permissions is capable of passing those permissions to other individuals, unless restrained by mandatory access controls. Accordingly, systems can implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that individuals can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.