Access Control Model is a way of determining and assigning the right users with the permissions to the resources.

In access control, we commonly use the terms subject, object, and privilege. i.e. subject refers to “who”, object refers to “what” e.g. accessible resources, and privilege refers to the authorization the subject is assigned such as Create, Read, Update, Delete.

Access Control Lists (ACLs) are used to manage such permissions. The list contains subjects, objects, privileges, and more as required. ACLs can range from file access, data access to network privileges.

Here are the top 5 access control models:

  • Discretionary model (DAC)
  • Mandatory model (MAC)
  • Rule-Based model
  • Role-Based model (RBAC)
  • Attribute-Based model (ABAC)

1. Discretionary Access Control (DAC) model allows the individual resource owner to configure the permissions for another user or user group. The resource owner can assign their own security controls and policies. This means each resource owner has full control and must be fully trusted to administrate the resource. DAC model was defined by Trusted Computer System Evaluation Criteria (TCSEC), a US Government Department of Defense (DoD) standard.

DAC is commonly used in administrating operating systems where you can configure network accesses for other users. DAC is also used in file system where the file creators have full control over the file. However, anyone can create their own file. Watch DAC explained here: https://youtu.be/KyCamjQd0Mk

2. Mandatory Access Control (MAC) model does not allow the resource owner to determine the access control of resources. Instead, the access control is configured by an external party such as the organization’s IT security policies/department. The access level is determined by the controlling party.

Access level be can categorized as Top Secret, Secret, Confidential, or Unclassified. This is also the widely used and secured access control model. Watch MAC explained here: https://youtu.be/E4CsEDEyauY

MAC can be further classified using Bell-LaPadula Model, Biba Model, Clark-Wilson Model, and Brewer and Nash Model.

3. Rule-Based Access Control model provides access based on the rules pre-created by the system admin. One example is in routers, where the routing rule table determines traffic is allowed or restricted between sources, destinations and ports. This is independent of the role or authority of the users.

4. Role-Based Access Control (RBAC) model provides access based on the role of a user. For example, a normal user role can only view a dashboard but cannot edit. However, a dashboard designer role will have permission to change the dashboard design. Each role is assigned with permissions. And roles are assigned to each user. The type of roles required are defined based on the business, industry, and application needs.

5. Attribute-Based Access Control (ABAC) model is based on resource attribute, environment attribute, and/or subject attribute.

  • Resource attributes define the type of resource can be used. E.g. the types operating system and web browser used.
  • Environment attributes define the environment conditions such as accessible duration for connections to the environment. E.g. VPN connection limits
  • Subject attributes define specifications of the user (subject) to determine their access. E.g. CAPTCHA in a form or using 2FA (2-factor authentication)

The above 5 access control models can be used in conjunction to make your system more robust.