Introduction
Access Control is frequently boring but important. It's one of the core security services defined in the OSI Security Architecture reference model. And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures. An attacker can't exploit what he can't access.
Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe. Before you can get down to the art and science of safecracking, you need to get access to the safe first. The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at. Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.
Looking at CFAdmin
Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe. You want to protect and restrict access to CFAdmin as part of your security baseline. CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication. So proper access control is crucial.