Which component is central to enforcing access to resources and ensuring users can perform only allowed actions?

Access control is the mechanism that enforces what authenticated users are allowed to do with each resource. After a user proves who they are, the system uses access control to check their permissions and permit or deny actions such as read, write, or delete. This enforcement can be implemented in different ways, such as through access control lists, role-based access control, or attribute-based access control, and is guided by the organization’s policies. In short, access control translates identity and policy into actual allowed actions on resources, making it the central component that ensures users can only perform what they are authorized to do. Encryption protects data from exposure, but doesn’t decide who may access or what actions they may take. Authentication verifies identity but doesn’t enforce permissions by itself. Policy defines the rules, while access control applies those rules at runtime.