Types of Access Control

There are many types of access control. Most organizations use one access control model or another; the most well-known are discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). There’s also a distinction between logical access controls, which govern access on computer systems, and physical access controls, which pertain to physical locations and resources.

There are also differences between various methods of authentication. These fall into three broad categories:

  • Something you have, such as a key;
  • Something you know, such as a password;
  • Something you are, which includes biometric signals such as fingerprints.

Access Control Models

An access control model governs access within an organization or system. A model itself is less concerned with exactly who has access to what than with how the organization determines who can access what. The most common access control models are discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC), but there are several others that you can use.

Discretionary Access Control (DAC)

Under discretionary access control, every object has an owner who can freely allow access to other users and applications at their discretion. By default, an object’s owner is usually its creator: by creating a Word document, you become the owner of that resource. But this isn’t always the case. If you create an object in a shared folder, for instance, the owner of that folder may become the owner of that document.

Discretionary access control is the most widespread access control model, and the most flexible. By default, Windows and most other operating systems work on a DAC model.

The biggest strength of discretionary access control is its flexibility. Its biggest downside is how messy things can get – it’s not always easy for administrators to provide oversight over a sprawling domain in which access might belong to any of hundreds of users.

Mandatory Access Control (MAC)

In contrast to discretionary access control, mandatory access control is very rigid. Under MAC, every user and object has an access level, such as confidential, secret, or top secret. To access a given object, a user’s label needs to match or exceed the security label on the object. To access a secret file regarding operations in the Czech Republic, for example, a user would need to have a secret or top secret security clearance on the topic.

Mandatory access control is the strictest access control model, making it a good fit for critical concerns – that’s why it’s the standard model for matters of national security. But it entails quite a bit of bureaucracy and a lot of work to maintain. For most business concerns, it probably isn’t the best fit.

Role-Based Access Control (RBAC)

Under role-based access control, all users are assigned roles that determine what they can access. A member of a company’s marketing team might be assigned a “marketing” role, for instance, giving them access to the resources they need to do their job in marketing.

Compared to other models, role-based access control is relatively easy to maintain, making it a great fit for many organizations. Rather than assigning access to individual resources to hundreds of users, you set access based on teams and roles.

Though Windows operates on discretionary access control by default, you can implement role-based access control on Windows by creating groups of users and assigning permissions on a group-by-group basis.

More Access Control Models

Though the above models are the most commonly used by organizations, they’re far from the only access control models. There are several more access control models you can consider:

  • Under attribute-based access control, subjects and objects are assigned attributes which are used to determine access. It’s a very granular access control model, which allows you to get very specific – but involves more work the more specific you get.

  • Under rule-based access control, rules are used to quickly determine who can and can’t access a system. It’s commonly used by routers and firewalls to protect networks from unwanted traffic. To avoid confusion with role-based access control, it’s best not to abbreviate rule-based access control to RBAC.

  • Under risk-adaptive access control, the system can dynamically adapt to threats in real-time. If a risk-adaptive system detects a denial-of-service attack, for instance, it can limit access until the attack is through.

  • Identity-based access control refers to any access control model that sets access based on a user’s identity. Nearly every model relies on some level of identification, making ‘identity-based’ not a very useful term when distinguishing different access control models.

  • Organization-based access control determines access across organizations, structuring access when two or more businesses collaborate.

You can read more about these in our complete guide to access control models.

Physical vs Logical Access Controls

Physical access controls govern access to physical locations. This can include perimeter security and building security. Physical access controls can also determine who can access areas within a building, such as server rooms and sensitive work areas, and even who can access specific files and pieces of hardware. It’s common to lock up server cabinets, for instance, and even lock specific ports to guard against unwanted access.

Physical access control often relies on locks. But there’s more than one way to unlock a door: you might use a hard key, a proximity-based ID card, or input a PIN combination. Also commonplace is facial recognition – if you have any kind of guard or doorman, for instance, it’s likely they allow access in part based on whether or not they recognize somone.

Logical access controls, on the other hand, pertain to computer systems. While the access control models outlined above can pertain to physical access, they more commonly structure access to digital resources. We don’t think explicitly in terms of discretionary access control in most of our day-to-day life, but Windows can’t help but ‘think’ in terms of discretionary access whenever you open a file or run a program.

The line between physical and logical access isn’t always robust. When someone physically taps into a network port, for instance, they cross from the physical to the logical realm of access control.

When it comes to authentication, physical access controls tend to lean on ‘something you have’ items, such as keys, where logical access controls tend to lean on ‘something you know’ items, such as passwords. More on that in a moment.

3 Types of Authentication Factors

Every access control system relies on authenticating users: verifying a user is who they say they are, with the access privileges they claim to have. These authentication factors belong to three broad categories.

  • ‘Something you have’ authentication factors rely on physical possessions, such as keys and keycards.
  • ‘Something you know’ authentication factors rely on passwords, PINs, question-answer prompts, and other bits of data and information.
  • ‘Something you are’ authentication factors, often known as biometrics, include fingerprint scanners, retina scanners, and facial recognition.

Any one of these authentication factors on their own can only do so much to verify someone is who they claim to be. You can make your authentication much more secure by using multi-factor authentication, which entails using more than one factor to verify someone’s identity.

For logical authentication, that can mean a password prompt (something you know) followed by a message to your smartphone (something you have). For physical authentication, that might mean a fingerprint scan (something you are) followed by a PIN combination (something you know).


When people talk about types of access control, they’re often referring to different access control models, such as discretionary access control, mandatory access control, and role-based access control. They might also mean the difference between logical and physical access controls, or between the different authentication factors. Fortunately, you now know how to make the distinction between all of the above types of access control.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.