What is Access Control?

Access control operates at two levels: authentication (verifying identity — "who are you?") and authorization (verifying permissions — "what are you allowed to do?"). Authentication establishes identity through credentials like passwords, tokens, or certificates. Authorization determines what that identity can access based on policies, roles, or attributes.

Access control models vary in complexity and flexibility. Discretionary access control (DAC) lets resource owners set permissions — like Unix file permissions. Mandatory access control (MAC) enforces system-wide policies that override owner preferences — used in military and high-security environments. Role-based access control (RBAC) assigns permissions to roles, and users inherit permissions through role membership. Attribute-based access control (ABAC) evaluates multiple attributes (user department, time of day, resource sensitivity) to make dynamic authorization decisions.

Effective access control follows the principle of least privilege: grant the minimum access necessary, for the minimum time required. This extends to service accounts, API keys, and machine-to-machine communication — not just human users. Overly permissive access controls are a leading cause of data breaches, as attackers exploit excessive permissions to move laterally through systems after an initial compromise.

How Vaulted uses Access Control

Vaulted implements access control through cryptographic and mechanical means rather than identity-based authentication. Access to a secret requires possession of the unique link containing the encryption key in the URL fragment. Further access control is enforced through view limits (the secret is deleted after a set number of accesses), time-based expiration (TTL auto-deletion in Redis), and optional passphrase protection that adds a knowledge factor. This model provides strong access control without requiring user accounts or an identity system.