An access control matrix is a static delineation of the permissions in a computer system. It has the capacity to provide very fine grained control for particular operations and processes, and can be one component of a computer security system. Tight permissions are useless without firm controls on who and what can edit those permissions, and thus other security measures are needed as well.
Within an access control matrix, anything that a system might need to access, like a file, a piece of hardware, or a process, is known as an object. Subjects like user processes and other files that might need access have varying permissions, known as rights. The matrix lists objects along one axis and subjects along another to provide information about the varying rights assigned to different subjects. Usually the goal is to keep rights limited to reduce the risk of compromise.
For instance, a particular file might only need to be able to read another file. It will only be given reading permissions and cannot make changes to the file. Conversely, a process might need full rights to perform functions like moving files, storing data, or allowing a user to edit a word processing document. The access control matrix does not change unless a technician actively alters a setting; another example can be seen with Internet servers, where the administrator can determine the levels of permissions available to visitors through a matrix.
By limiting capability, a security administrator can reduce the risks that a compromise will occur in a system. When a problem does develop, the administrator can use the access control matrix to find out which entities had the rights necessary to do something like corrupting another file or distributing information without authorization. The tight control can also limit the damage caused by security exploits like hacks into attached external hard drives, as the hacker might not be able to do anything meaningful with that access.
Many systems come with a default access control matrix set to basic security standards. For the purpose of many users, this may be sufficient, and edits may not be advised. Editing could make the system less safe, or create access problems that might limit system functionality. When a technician does need to make changes, that person can review the system and the needs to decide on the best changes to make. If necessary, they can be rolled back to prior settings with a system restore.