# Broken Access Control
The security risk Broken Access Control describes the incorrect or missing restrictions of specific groups of users to access certain resources.
A01:2021# Background
# Context
Often used types of access control systems are:
- Attribute Based Access Control
- Role Based Access Control
- Decentralized Approaches
- OpenID connect
- OAuth
# Problems
- If incorrectly defined, users can access resources that they are not be allowed to
- Depending on the system admin functionalities can be exploited or premium functions can be used for free
# Solutions
- Use third party tools like Keycloak/
- Implement access control carefully
- No one-fits-all solution exists
# Technology
Different libraries exist, which help developers to define roles or attributes, add certain rights to these groups and methods to verify if a user has to required rights to view a ressource.
DANGER
The developers themselves have to firstly define which resources need to be restricted and who can access them. Since this is a rather individual task no generic solution to create a secure access control system exists.