week 11

3.11 Data access across platforms

3.11.1 Understand the features, purposes, benefits and drawbacks of accessing data across platforms:

Accessing data across platforms refers to the ability to retrieve, update, or use data from different devices, systems, operating environments, or applications. Examples include viewing cloud-stored documents on a mobile phone, a laptop, or a browser; accessing databases from Windows and Linux systems; or pulling device logs from IoT hardware into a central dashboard.

This capability is essential in modern digital support and security environments where many systems must integrate, communicate, and share information seamlessly

Permissions

Authorisation

Authorisation is the process of determining what a user, device, application, or service is allowed to do once their identity has been authenticated.
It is a key permission strategy used to control access to data throughout its lifecycle from the moment it is collected, while it is stored, and when it is accessed or used later. Authorisation ensures that individuals and systems only interact with the data they are permitted to, based on organisational policy, legal requirements, and security controls.

Privileges

Privileges refer to the specific actions a user, system, or application is allowed to perform on data once they have been authenticated and authorised.
While permissions define what data can be accessed, privileges define what can be done with that data.Privileges are a critical part of access control and directly impact security, compliance, and operational effectiveness.

Common Privileges

Users or systems may have privileges to:
Read - View data but not alter or delete it.
Write - Create or modify data.
Delete - Remove data from storage.
Execute - Run scripts, commands, or applications.
Share / Forward - Distribute data to others or external systems.
Approve / Authorise Actions - Such as approving a transaction or data change request.
Admin-Level Privileges

• Creating or deleting user accounts

• Changing access rights

• Configuring security settings

• Managing databases or servers

These are the most sensitive privileges.

Privilege Management Strategies

5.1 Least Privilege Principle

Users are given only the privileges necessary to do their job, no more.

Benefits

 - Minimises damage from mistakes
 - Reduces insider threat
 - Limits the impact of credential theft

5.2 Privilege Auditing and Review

Privileges must be reviewed regularly to ensure they are still appropriate.

Example

 - A technician who moves to HR should lose access to server logs immediately.

5.3 Just-in-Time Privileges

Users receive elevated privileges temporarily when needed.

Benefits

 - Reduces persistent admin rights
 - Protects sensitive systems
 - Limits misuse

5.4 Separation of Duties

Critical tasks are split so no single person has full control.

Example

 - One user initiates a database change
 - Another user approves it

Prevents fraud, abuse, or accidental damage.

Access rights

Access rights describe the specific level of access a user, system, device, or application is granted to data or digital resources.
They define who can access data and what actions they can perform, such as viewing, editing, deleting, or sharing information.Access rights are a core component of access control, working alongside permissions, privileges, authorisation, and authentication to keep data secure and compliant with legal requirements.

Rules

Rules are formal, predefined conditions or instructions that determine how data may be accessed, used, collected, stored, shared, or processed within an organisation.
They ensure that data is handled safely, legally, and consistently. Rules sit alongside permissions, privileges, authorisation, and access rights as part of an organisation’s overall access control framework.

Access mechanisms

Role-based access (RBAC)

Role-Based Access Control (RBAC) is a security model where access to data, systems, or resources is granted based on a person's job role rather than the individual themselves. Users are grouped into roles (e.g., Technician, Manager, HR Officer), and each role has a specific set of permissions and access rights. Users inherit access automatically by being assigned to a role.

Examples of RBAC in Digital Support & Security

IT Technician Role

• View system logs

• Restart services

• Modify device configuration

• Cannot access payroll or HR files

HR Officer Role

• Access employee personal records

• Modify attendance or contracts

• Cannot access server logs or firewall settings

Student Role

• Read-only access to their timetable

• Submit work

• No access to staff folders or administrative systems

Database Administrator Role

• Full access to database configuration

• Cannot access HR data unless specifically permitted

Rule-based access control (RuBAC)

Rule-Based Access Control (RuBAC) is a security model where access to data or resources is determined by a set of system-enforced rules. These rules are often global, automated, and applied consistently across the organisation, regardless of a user’s job role. RuBAC is sometimes used alongside Role-Based Access Control (RBAC), but it differs because access is granted or denied based on specific rules written by administrators, not roles or user permissions.

What RuBAC Is

RuBAC uses predefined rules to allow or deny actions.
These rules can be based on:

• Time of day

• Location

• Device type

• Network security level

• System state

• User behaviour

• External conditions (e.g., security alerts, lockdowns)

For example:

“Block access to the database outside business hours.”
“Only allow login from the UK.”
“Deny USB access when connected to the corporate network.”

RuBAC is often found in firewalls, operating systems, cloud platforms and identity management systems.

Application Programming Interfaces (API).

An Application Programming Interface (API) is a structured way for different software applications, systems, or devices to communicate with each other.
It defines a set of rules, endpoints, formats, and permissions that allow one system to request data or perform actions on another system safely and consistently.

APIs are essential in modern digital services, cloud computing, automation, data collection and cybersecurity operations.

What an API Is

An API acts as a bridge between systems.
It allows:

• Applications to request data

• Systems to send responses

• Services to integrate without knowing internal code

• Secure access to stored or processed information

Examples:

• A weather app uses an API to fetch real-time forecasts.

• A college MIS sends data to a reporting dashboard via an API.

• A cybersecurity tool retrieves logs from a firewall using an API call.

RuBAC, RBAC and APIs

Time: 20 - 25 minutes
Total Marks: 18 marks

Scenario
A college IT department manages access to several systems including:

A cloud-based learning platform
An internal staff database
A cybersecurity monitoring dashboard
A set of APIs used to pull attendance data and push timetable updates

To protect the systems, the organisation uses a combination of:
Role-Based Access Control (RBAC)
Rule-Based Access Control (RuBAC)
Application Programming Interfaces (APIs) with secure authentication

You have been asked to review the access control setup and evaluate how it protects the data stored, used, and transmitted across systems.

Questions
1. Give one feature of Rule-Based Access Control (RuBAC).
(1 mark)

2. Give one example of how RBAC might be applied in the college's environment.
(1 mark)

3. State one purpose of using APIs in the college’s digital systems.
(1 mark)

4. The cybersecurity dashboard uses RuBAC to block access during high-risk periods.
Explain one benefit and one drawback of using RuBAC in this situation.
(4 marks)

5. The staff database uses RBAC to restrict editing rights to specific roles.
Explain two ways RBAC supports data confidentiality in this system.
(4 marks)

6. The learning platform uses an API to send attendance data to the college MIS.
Explain two security considerations the IT team must implement to protect API data transfers.
(4 marks)

7. A technician suggests combining RBAC, RuBAC and APIs to create a layered security approach.
Discuss whether this is a suitable approach for the college, using justified points for and against. Provide a supported conclusion.
(3 marks)
(Level-based mark Q - AO2/AO3 style)

3.11.2 Know and understand the benefits and drawbacks of methods to access data across platforms.

3.11.3 Understand the interrelationships between data access requirements and data access methods and make judgements about the suitability of accessing data in digital support and security.

Last Updated
2025-12-01 16:51:30