Data access control regulates the IoT devices from accessing the data from the server and other IoT devices. The main aim of data access control schemes is to prevent unauthorized access to IoT devices using the security concepts of authentication, authorization, and accountability. Authentication includes two steps, such as user identification and verification. The authentication is successful when the IoT user provides valid credentials for accessing another entity or server. Otherwise, authentication fails.
Authorization allows an IoT entity only if it has sufficient privileges to access system resources. The level of authorization is assigned as per identity, role(s), privacy preferences, and a set of predefined access rules. Accountability is the process of ensuring the operations are done by users. Discretionary Access Control (DAC), Role-Based Access Control (RBAC), and Mandatory Access Control (MAC) are three main types of access control. Examples of access control security systems are doors, motion detectors, fences, biometric systems, key locks, and badge systems. The data access control methods are further categorized into three types that are physical and logical. The physical access control methods are used to access the data from buildings, rooms, campuses, and physical IoT assets, whereas the logical access control methods are employed over computer networks. Moreover, effective access control systems must satisfy the MQTT security properties of confidentiality, integrity, and availability over resource-limited IoT.