Here’s your **in-depth notes** for **AppDev 1** – Topic: **Access Control**
I’ve covered **all topics** from the transcript, matched them to your **learning outcomes**, and organized them in a clean, detailed format.

---

## **Access Control – AppDev 1**

### **1. Introduction to Access Control**

Access control refers to the mechanisms and processes used to regulate who can access certain resources in a computer system or application, and what operations they can perform.

* **Access** means the ability to **read, write, or modify** certain information.
* Not all parts of an application are meant for public access — sensitive or private data must be protected.

**Example scenarios:**

1. **E-commerce application** –

   * **Public access:** Product listings, general information.
   * **Restricted access:** Customer’s phone number, email, address, and financial information.
2. **Banking system** –

   * Customers can access **only their own account information**.
3. **Educational institutions** –

   * Students can access **only their own grades**, not classmates’.
4. **Company environment** –

   * Different teams have access only to **their own departmental data**.

---

### **2. Types of Access**

Access control isn’t only about modification; even read-only access needs to be regulated.

* **Read-only access:** User can view data but cannot change it.
  Example: Viewing someone’s grades or a company’s confidential document.
* **Read-write access:** User can view, create, modify, or delete data.
  Example: Admin updating customer records.
* **Fine-grained control:** Partial access to certain parts of a resource.
  Example: A student can edit certain fields on a form but not delete it.

---

### **3. Examples of Access Control in Systems**

#### **Linux File System**

* **Owner:** Creator of the file; can modify permissions.
* **Group:** Group of users who can access a file.
* **Root/Admin:** Has unrestricted access across the system.
* File permissions determine who can **read (r)**, **write (w)**, and **execute (x)**.

#### **Email Systems**

* You can read your own emails.
* Forwarding emails is also a permission (can be restricted in certain systems).

#### **E-commerce**

* Shopping cart is visible only to the respective customer.
* Financial information is strictly private.

---

### **4. Discretionary vs. Mandatory Access Control**

#### **Discretionary Access Control (DAC)**

* Owner of the resource controls who can access it.
* Example: In Linux, file owner can set `chmod` permissions for others.
* User has the discretion to:

  * Allow others to read/write files.
  * Revoke access at any time.
* Example: Forwarding an email to others.

#### **Mandatory Access Control (MAC)**

* Access permissions are controlled by a **central authority**.
* Users **cannot** transfer or change permissions on their own.
* Highly restrictive, used in environments requiring high security:

  * Military systems
  * Government classified data
  * Sensitive corporate secrets

---

### **5. Role-Based Access Control (RBAC)**

Instead of granting permissions to individual usernames, permissions are tied to **roles**.

#### **Concept**

* **Role:** A label representing a set of permissions.
* Users are assigned roles, and roles control access.

**Example in a university:**

* **Student** → Access to own grades.
* **Teacher** → Access to grades of students they teach.
* **Head of Department (HOD)** → Access to all departmental student records.

#### **Benefits**

* Easy to manage when personnel change (update role assignment, not all individual permissions).
* Supports **hierarchies**:

  * HOD ⊇ Teacher ⊇ Student (HOD has all permissions of a teacher, plus more).
* Roles can be unrelated (e.g., HOD and Sports Club Member are independent).

---

### **6. Attribute-Based Access Control (ABAC)**

Adds **contextual attributes** to the decision-making process, beyond just roles.

#### **Examples of Attributes:**

* **Time of day:** Access allowed only between 9 AM – 5 PM.
* **Location:** Access allowed only from within the office network.
* **Device type:** Restrict access from unregistered devices.

**Example:**

* A bank employee can view the ledger **only**:

  * If they have the "employee" role **and**
  * It is after 8 AM on a working day.

---

### **7. Permissions vs. Policies**

#### **Permissions**

* Simple, static rules.
* Example: "User X can read File Y."

#### **Policies**

* Combine multiple conditions into rules.
* Example: "Employee can read ledger **if** it’s a working day **and** after 8 AM."
* Policies allow more complex access logic.

---

### **8. Principle of Least Privilege**

**Definition:** Give each user or system process **only the minimum permissions necessary** to do their job.

#### **Benefits**

* **Better security:** Fewer people can access sensitive data.
* **Better stability:** Reduces risk of accidental changes.
* **Ease of deployment:** Controlled, predictable environments.

**Examples:**

* Linux users can read system libraries but cannot modify them.
* `/etc/shadow` (stores encrypted passwords) readable only by root.
* Python virtual environments allow local installs without altering system-wide files.

**Challenges:**

* Some systems require loosening restrictions (e.g., writable directories for uploads in web apps).

---

### **9. Privilege Escalation**

Temporarily gaining higher-level permissions for specific tasks.

#### **In Linux:**

* **`sudo`**: Run a single command with elevated privileges.
* **`su`**: Switch to another user (e.g., root) entirely.
* **Risks:** Potential misuse or system damage; should be done minimally and logged.

**In Web Applications:**

* Admin dashboards for special operations (adding users, modifying records).
* Should only be accessed when necessary.

---

### **10. Enforcing Access Control**

Access control can be implemented at multiple layers:

#### **1. Hardware Level**

* Physical security: keys, NFC cards, USB tokens.

#### **2. Operating System Level**

* File permissions.
* Memory segmentation (preventing one process from reading another’s memory).

#### **3. Application Level**

* Restrict routes/views based on user roles and permissions.
* Implement checks in **controllers** before executing actions.
* Use **decorators** in Python/Flask to wrap functions with access checks.

---

## **Summary Table**

| Concept                  | Description                            | Example                             |
| ------------------------ | -------------------------------------- | ----------------------------------- |
| **DAC**                  | User controls permissions              | Linux `chmod`                       |
| **MAC**                  | Central authority enforces permissions | Military systems                    |
| **RBAC**                 | Permissions tied to roles              | HOD, Teacher, Student               |
| **ABAC**                 | Permissions based on attributes        | Time-restricted access              |
| **Least Privilege**      | Only minimum access granted            | No student access to others’ grades |
| **Privilege Escalation** | Temporary elevated rights              | `sudo` in Linux                     |
| **Permissions**          | Simple static rules                    | User can read file                  |
| **Policies**             | Complex, multi-condition rules         | Access only during work hours       |