Security access control, or simply access control, is an important aspect of any system. Security access control is the act of ensuring that an authenticated user accesses only what they are authorized to and no more. The bad news is that security is rarely at the top of people's lists, although mention terms such as data confidentiality, sensitivity, and ownership and they quickly become interested. The good news is that there is a wide range of techniques that you can apply to help secure access to your system. The bad news is that as Mitnick and Simon (2002) point out "...the human factor is the weakest link. Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivette, or ignorance come into play." They go on to say that "security is not a technology problem — it's a people and management problem." My experience is that the "technology factor" and the "people factor" go hand in hand; you need to address both issues to succeed.

This chapter overviews the issues associated with security access control within your system. As with other critical implementation issues, such as concurrency control and referential integrity, it isn't a black and white world. A "pure object" approach will likely prove to be insufficient as will a "pure database" approach, instead you will need to mix and match techniques.

This chapter addresses: