Access Control is the security process and system that manages and dictates what actions subjects (e.g., users, processes) are permitted to perform on objects (e.g., files, physical rooms). The definition in the question precisely describes an access control system's function: enabling an authority to enforce policies that regulate entry to physical areas and use of logical resources within an information system. It is a fundamental security principle that encompasses authentication, authorization, and accountability to minimize risk to the organization's assets.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations. Special Publication (SP) 800-53

Revision 5. Page 51

Introduction to the Access Control (AC) Family. The document defines access control as "the process of granting or denying specific requests to: 1) obtain and use information and related information systems...; 2) enter specific physical facilities..."

DOI: https://doi.org/10.6028/NIST.SP.800-53r5

2. Sandhu

R. S.

& Samarati

P. (1994). Access control: principle and practice. IEEE Communications Magazine

32(9)

40-48. In Section I

"Introduction

" the authors state

"Access control is concerned with determining the allowed activities of legitimate users

mediating every attempt by a user to access a resource in the system." (p. 40).

DOI: https://doi.org/10.1109/35.312842

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278-1308. This foundational paper

often used in university curricula

outlines the core principles. Section I-A-2

"The Access Control Mechanism

" describes the concept of a system that controls access by comparing the requested action to a set of authorizations.

DOI: https://doi.org/10.1109/PROC.1975.9939