This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Access Control Cheat Sheet"

From OWASP
Jump to: navigation, search
(Starting work on fleshing out this section)
Line 91: Line 91:
  
 
Shruti Kulkarni - shruti.kulkarni [at] owasp.org<br/>
 
Shruti Kulkarni - shruti.kulkarni [at] owasp.org<br/>
 +
Adinath Raveendra Raj - adinath [at] acciente.com<br/>
 
Mennouchi Islam Azeddine - azeddine.mennouchi [at] owasp.org<br/>
 
Mennouchi Islam Azeddine - azeddine.mennouchi [at] owasp.org<br/>
 
Jim Manico - jim [at] owasp.org<br/>
 
Jim Manico - jim [at] owasp.org<br/>

Revision as of 18:38, 6 March 2016

This article is focused on providing clear, simple, actionable guidance for providing access control security in your applications. The objective is to provide guidance to developers, reviewers, designers, architects on designing, creating and maintaining access controls in web applications

What is Access Control / Authorization?

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their definitions are frequently confused. Authentication is providing and validating identity. Authorization includes the execution rules that determines what functionality and data the user (or Principal) may access, ensuring the proper allocation of access rights after authentication is successful.

Web applications need access controls to allow users (with varying privileges) to use the application. They also need administrators to manage the applications access control rules and the granting of permissions or entitlements to users and other entities. Various access control design methodologies are available. To choose the most appropriate one, a risk assessment needs to be performed to identify threats and vulnerabilities specific to your application, so that the proper access control methodology is appropriate for your application.

Access Control Policy

Why do we need an access control policy for web development?

The intention of having an access control policy is to ensure that security requirements are described clearly to architects, designers, developers and support team, such that access control functionality is designed and implemented in a consistent manner.