An access control model structures who can access resources within a given organization or system. Popular models include mandatory, discretionary, and role-based access controls.
In practice, most organizations use more than one type of access control. Even in an organization using role-based access control, for instance, routers and firewalls will generally still use rule-based access controls to protect against unwanted network traffic.
All access control models rely on the distinction between subject and objects. A subject, such as a user or a group, can access an object. Objects include files, folders, devices, and other resources. When you use a printer, for instance, you are the subject and the printer is the object. When you attempt to use it, the system checks an access control list to see if you have permission to access the resource – in this case, to use the printer.
Read on to learn all about different access control models, including the strengths and weaknesses of each, and which might be best suited to your needs.
Discretionary Access Control (DAC): The Flexible Model
Under the discretionary access control model, every object has an owner who determines who has access to that file or resource. Usually, the owner is the person who creates that file or resource, unless that person assigns a new owner. Commonly abbreviated as DAC, discretionary access controls are the most common type of access control, used widely in both Windows and Linux operating systems.
Under discretionary access control, every object has an access control list comprised of access control entries. Each of these entries lists a user and what permissions they have.
For a file in Windows, you might list user Lena having full permissions, but user Greg has permissions to read, but not modify a file. The object’s owner has the final say in who has what permissions.
The greatest strength of discretionary access control is its flexibility. It makes it easy for individuals and teams to work out access on their own terms. This strength should not be underestimated – there’s a reason discretionary access control is the default model for Windows and most other operating systems.
But this flexibility comes with a downside. This decentralized approach can make discretionary access control tricky to administer. To the extent that every user can be an object owner, every user in an organization will have administrative privileges over their domains, small or large. In such an unstructured approach, it can be easy for administrators to lose view of the objects users create.
Not that one can’t impose structure in a discretionary access control model. For instance, you can create shared folders, under which every object is owned by a particular individual. You don’t have to worry about who owns what resources in the marketing department if the VP of Marketing has ownership over shared folders.
The other big weakness of discretionary access control is vulnerability, especially when it comes to applications.
DAC does not generally distinguish between users and applications. In Windows, for instance, a new application inherits the access rights of the user that installed it. So if someone installs a trojan – an invasive piece of software masquerading as a legitimate application – that app may have broad powers to wreak havoc. For this reason, administrators often use two accounts: one with user access, for regular use; and their admin account, which they use only as necessary.
For this reason, Windows introduced the User Account Control system in 2006. Under this system, applications typically do not inherit high-level permissions unless a user explicitly runs them as an administrator. To do this, Microsoft added a layer of mandatory access controls on top of their discretionary framework. Which brings us to our next model of access control – read on.
Mandatory Access Control (MAC): the Secure Model
Under mandatory access control (MAC), security administrators set access labels for both users and objects. Mandatory access control is the most secure of the major access control models, and also the most demanding to maintain.
It’s well suited for securing high stakes assets, and for this reason, it’s the method of choice when military and government agencies need to protect highly sensitive data. An example would be the security clearance levels used by the United States military: top secret, secret, and classified.
But simply having a top secret security clearance does not suddenly give you full access to every top secret file held by the Department of National Security. Instead, the MAC model works on a need-to-know basis. That means you can only access information you need in order to do your job. No matter your security clearance level, if you don’t need to know, you don’t get access.
To accomplish this, each security label is tied to a particular subject. To access a secret file on a particular nuclear reactor, for instance, one would need a secret or higher clearance for that reactor. A top secret clearance on a hydroelectric dam wouldn’t cut it – even if issued by the same agency.
To gain that new level of access,, you would have to submit a request to a security officer. They would file the paperwork and hand off their approval to a separate administrator who would then implement your new level of access.
Getting approval under MAC can be a slow-moving process. It entails more bureaucracy than other access control systems. If you’re protecting highly sensitive information, it may be worth it. If you’re operating a local brick and mortar store, it probably isn’t worth the effort to implement mandatory access controls.
That said, it sometimes makes sense to implement elements of MAC to protect particularly sensitive information or shore up vulnerabilities. Windows, for example, had a serious vulnerability to trojan horse viruses under its discretionary access control model. Because this model readily gave applications high levels of access, it was all-too-easy for trojans to take over a PC.
To address this issue Microsoft added a layer of mandatory access control in the form of its User Account Control system. Per this system, every subject in Windows has an attached integrity level. By default, a Windows user operates on medium integrity.
When you run a program, that program inherits your integrity level, meaning it can also read and write files. But even with a medium integrity level, it can’t undertake protected actions, such as modifying the operating system or turning off Windows Defender.
As the owner of the system, you can always ‘run the application as an administrator’. This grants the application the highest integrity level, which it could then use to modify your operating system and even take over your computer. If that sounds risky, it’s because it is – you should think very carefully before you run an app as an administrator.
When Microsoft implemented User Access Control, they faced a fair bit of backlash from users who got fed up at all the security notifications they now received. In response, Microsoft scaled back these notifications.
There’s an important lesson here: even implementing mandatory access control on a limited basis can prove cumbersome to users. A strict security regime isn’t always the best choice, and it usually isn’t necessary unless you’re protecting critical information. For Windows, it was more than worth it to protect the operating system itself. For everything else on your Windows PC, it made sense to allow more flexible, discretionary access controls to govern who can access what.
Role-Based Access Control: the Team Model
Under role-based access controls, each subject is assigned one or more roles, which dictate what they can access. A marketing associate would be assigned a marketing role, which would grant them access to anything they would need to do their work in marketing.
Role-based access controls reduce administrative overhead to a more manageable level than other models of access control. Instead of assigning access on a need-to-know basis or chasing down the owner of a particular object, under role-based access control, the administrator simply assigns roles as needed.
If someone’s role changes, you simply add them to a new group and remove them from any areas they no longer need access to. This is another advantage of role-based access control: in other models, it’s easy to forget to remove access an employee no longer needs. Whereas under role-based access control, it’s only natural to remove an employee from any groups they no longer belong to.
The role-based access control model makes sense for many organizations, small and large. There’s less administrative overhead than most other systems, and role-based access is intuitive within an organization already divided into distinct roles and teams.
As we discussed in the previous sections, Windows naturally operates on a DAC model, supported by MAC features to guard against key vulnerabilities. It also offers administrators the tools needed to implement role-based access controls. Under Windows, you can create a group of users and from there, assign permissions to the entire group from there – effectively implementing role-based access controls.
Attribute-Based Access Control: The Granular Model
An attribute-based access control (ABAC) model relies on attributes to make decisions regarding access. These attributes can pertain to the subject or object, or to the action attempted or the environment in which the action happens.
Attribute-based access control allows for some of the most granular control over access privileges, making it a very flexible approach to access control. It complements other models well, and can be used as a foundation for any of the above models, while allowing more specific rules to structure more particular decisions regarding access.
Let’s take an example with role-based access control as a starting point. Even though they’re in the same department, a sales associate probably needs a different level of access than a sales director. Where the associate needs access to a client’s contact info and recent history, they probably don’t need to know detailed billing information or sensitive customer records.
Under pure role-based access control, you would need to create a role-based group for both positions – and for every role that needs a different kind of access, at which point you might as well go back to assigning permissions on a per-user basis.
But with attribute access controls, you could instead match two attributes: department (sales) and position (associate) to determine access. While you’re at it, you might throw in a few additional safeguards, such as barring access to sensitive data if someone tries to get on from an unknown device.
As you can see, attribute-based access controls allow quite a bit of flexibility. But this flexibility comes at a cost. ABAC can become very complex to implement, especially the more granular you want to go. For many businesses, a simpler approach such as role-based access might remain the best bet.
Rule-Based Access Control: the Network Security Model
Under rule-based access controls, access is determined based on rules set by an administrator. Rule-based access controls are typically used by routers and firewalls to guard against unwanted network traffic.
A network might receive thousands of requests an hour – too many to manually check on a case-by-case basis. Instead, it makes sense to use preset rules to determine access. These can be set or modified by an administrator, but many devices include rule-based access controls by default.
To avoid confusion with role-based access control, it’s best not to abbreviate rule-based access control to RBAC. Some security professionals refer to role-based access control as RoBAC and rule-based access control as RuBAC. But this isn’t common parlance, and for the sake of clarity, it’s for the best to write both terms out.
For more information, see our complete guide to rule-based access controls.
Risk-Adaptive Access Control: the Dynamic Model
Risk-adaptive access controls allow a system to adapt to threats on the fly. If a system detects a denial-of-service attack, for instance, it can block that port and tighten access to stymie the attack.
Risk-adaptive access control really isn’t a stand-alone model to protect an organization. Instead, it can strengthen other models by giving them the ability to quickly adapt to counter threats.
Identity-Based Access Control: the Generic ‘Model’
Identity-based access control refers to any access control that determines access based on a user’s identity. That includes almost every access control model, making this term not especially useful to make distinctions between access control models.
Identification undergirds every form of access control. If you can’t accurately identify and authenticate a user, your access control method is unlikely to function well at all.
Some systems are more identity-based than others. Rule-based access controls, for instance, lean less heavily on discrete user IDs than other systems do. But even these systems factor a user’s identity into account.
Organization-Based Access Control: the Cross-Company Model
When different organizations work together, they often share tools and resources. In this case, access controls operate across different organizations. In these cases, it often makes sense to implement organization-based access controls, that take different organizations into account.
Google Drive provides a useful example. You can opt to share a Google Doc within an organization, or enable outside access. This is a fairly straightforward example of thinking through access across organizations.
When multiple organizations use the same tools or resources, it often makes sense to take these organizations into account when determining access.
Logical vs Physical Access Controls
In addition to the models outlined above, access controls fall into two broad buckets: logical and physical access controls. Logical access controls determine access to computer systems. Physical access controls, as you might guess, apply to physical locations and objects.
Neither of these are models of access controls. But it’s worth making the distinction, as logical and physical controls work very differently in practice.
The models we’ve discussed so far largely pertain to logical access controls, but they can be applied to physical access controls as well. A company that keeps physical records may control access to archives and individual files, for instance. To check out a sensitive file, you might need permission from the owner, the right clearance, or the right role.
Identification and authentication often look very different between logical and physical access controls. The cornerstone of logical access is the password. The most common instrument of physical access controls is one you know well: the lock. A lock might require a key or keycard, a PIN, or a biometric signal such as a fingerprint – or some combination of these.
There are three broad types of authentication: something you have, something you know, and something you are.
- Something you have could be a key or keycard or a cell phone.
- Something you know includes passwords and PINs.
- Something you are includes biometric identifiers, such as your fingerprint or your physical appearance.
Biometrics are more common when determining physical access than you might think. Your physical appearance is the oldest authentication method there is: any decent security guard has the built-in facial recognition ability to differentiate people they know from people they don’t.
Access Control Models in Practice
Whether or not you know it, you’re probably already using some kind of access control model. By default, Windows uses discretionary access controls, with a dash of mandatory access control to prevent users from unknowingly giving applications too much power. Meanwhile, your router uses rule-based access controls to filter out unwanted network traffic.
To protect an organization, you’ll probably want to think about access more deliberately. Usually, that means picking one access control model to structure who can access what.
- Discretionary access control often makes sense for small organizations, but can become unwieldy for larger companies.
- Role-based access control makes things easier to manage, and is the access control model of choice for many organizations. You might also consider attribute-access control for a more granular approach, though it can be work-intensive to implement.
- If your organization manages particularly sensitive matters, it may be worth it to consider mandatory access control, despite the administrative overhead.
Ultimately, the best access control model depends entirely on the organization. Of course, you don’t have to pick one access control model to the exclusion of others. Access control models work together – if you’re using a Windows PC and a typical router, for instance, you’re already using at least three types of access control. That said, it’s still helpful to have one access control model serve as the foundation for who can access what at your organization.