What are Access Control Models?
Access control is the process of deciding who can use specific systems, resources, and applications. An access control model is a defined set of criteria a system administrator utilizes to define system users’ rights. There are three main access control models. These are Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role Based Access Control (RBAC). In addition, a Rule Based Access Control (RBAC) model is useful for managing permissions across multiple systems.
The mandatory access control model assigns users’ roles strictly according to the system administrator’s wishes. This is the most restrictive access control method because the end user cannot set any access controls on files. Mandatory access control is popular in highly secretive environments, such as, the defense industry where errant files can jeopardize national security.
Discretionary access control is at the other end of the access spectrum differing from the mandatory access model in that it is the least restrictive of the three models. Under the discretionary access model the end user has complete freedom to assign any rights to objects that he wishes. This level of complete control over files can be dangerous because if an attacker or malware compromises the account then the malicious user or code will have complete control as well.
Role based access control creates permissions by assigning access rights to specific roles or jobs within the company; RBAC then assigns users to those roles, thereby granting privileges. This access control model functions effectively in actual organizations because files and resources are assigned permissions according to the roles that require them. For instance, a system administrator may create an access role for managers only. So a user would need to be assigned the role of a manager to use those resources.
One of the lesser-discussed access control models is Rule Based Access Control (RBAC). It shares the same acronym as role based access control but incorporates top-down management similar to mandatory access control. Rule based access control permissions are only assigned by the system administrator. Rules are attached to each resource, which governs the access levels that will be allowed when a user tries to use it. An example of rule based access control is only allowing a resource to be used at certain times of the day or only allowing specific IP addresses to access the resource.
