What Is an Access Control Matrix?

Mary McMahon
Mary McMahon

An access control matrix is a static delineation of the permissions in a computer system. It has the capacity to provide very fine grained control for particular operations and processes, and can be one component of a computer security system. Tight permissions are useless without firm controls on who and what can edit those permissions, and thus other security measures are needed as well.

An access control matrix is a static delineation of the permissions in a computer system.
An access control matrix is a static delineation of the permissions in a computer system.

Within an access control matrix, anything that a system might need to access, like a file, a piece of hardware, or a process, is known as an object. Subjects like user processes and other files that might need access have varying permissions, known as rights. The matrix lists objects along one axis and subjects along another to provide information about the varying rights assigned to different subjects. Usually the goal is to keep rights limited to reduce the risk of compromise.

For instance, a particular file might only need to be able to read another file. It will only be given reading permissions and cannot make changes to the file. Conversely, a process might need full rights to perform functions like moving files, storing data, or allowing a user to edit a word processing document. The access control matrix does not change unless a technician actively alters a setting; another example can be seen with Internet servers, where the administrator can determine the levels of permissions available to visitors through a matrix.

By limiting capability, a security administrator can reduce the risks that a compromise will occur in a system. When a problem does develop, the administrator can use the access control matrix to find out which entities had the rights necessary to do something like corrupting another file or distributing information without authorization. The tight control can also limit the damage caused by security exploits like hacks into attached external hard drives, as the hacker might not be able to do anything meaningful with that access.

Many systems come with a default access control matrix set to basic security standards. For the purpose of many users, this may be sufficient, and edits may not be advised. Editing could make the system less safe, or create access problems that might limit system functionality. When a technician does need to make changes, that person can review the system and the needs to decide on the best changes to make. If necessary, they can be rolled back to prior settings with a system restore.

Mary McMahon
Mary McMahon

Ever since she began contributing to the site several years ago, Mary has embraced the exciting challenge of being a EasyTechJunkie researcher and writer. Mary has a liberal arts degree from Goddard College and spends her free time reading, cooking, and exploring the great outdoors.

You might also Like

Discussion Comments


@David09 - Personally, I found Vista to be very annoying in this regard. It seemed that every time you wanted to launch an application you were prompted and it asked you if you really wanted to launch that application.

I realize this was meant to be a security mechanism to limit unwanted processes (like viruses for example) but it got to be very irritating after a while.

Fortunately I found out I could turn off this mechanism. I prefer to initiate access control restrictions on my own, rather than having the computer assume default controls.


@Mammmood - You don’t always need formal access control systems if you want to limit edits to a particular document. Many documents let you set them as read only.

This is a feature within the document itself and I believe that it can be password protected, so that another user cannot change the setting. I’ve made both word processing and spreadsheet documents read only and it worked just fine.

I say this because I don’t think that you should bother the system administrator about every little thing. Users should get some training in how to protect their own documents. Leave the big stuff to the system administrator, like protecting entire folders or limiting who can see what parts of the network.


@miriam98 - I suppose that’s okay for your scenario. However in many corporate environments I’ve found that the security access control is more tightly regulated.

We have people in our workplace that can’t even get into certain folders. The administrator has blocked them out. Actually I think it’s a good thing, because there is sensitive data in these folders and you don’t want anyone just poking about and potentially overwriting or deleting data.

If we want these people to have access we can do that however; we just have to submit a request to the system administrator and get approval from our manager.


A good access control matrix example is found in the newer versions of Windows, which impose tight controls on who can launch what application.

I found this out the hard way when, as a software developer, I built a database application for a client. Everything was running file for awhile and then she called and told me she couldn’t launch the program.

At first I thought the trouble was that she didn’t know how to run the program. However, after checking out her system, I found that it was a permissions issue.

Windows blocked her from using that program. To fix it, I had to go into the properties panel for that file, and adjust rights and permissions. I basically gave her all rights (in effect making her an administrator) and this fixed the problem.

Post your comments
Forgot password?