Access control models are frameworks that organisations use to manage and restrict access to resources, such as data, systems, and facilities. There are several types of access control models. I will go through four of these models in this section to help you better understand the different methods of implementing access control.
Mandatory Access Control (MAC)
The mandatory access control model is a very inflexible and rigid solution but due to this, it is also one of the most secure. In this case, it means that the end user has no control over any settings that could provide any privileges to anyone.
There are two security models associated with MAC and these are Biba Model and Bell-LaPadula Model, I won’t be going into them here but if you wish to, you can read up on Wikipedia for more information.
MAC is the highest access control there is. It is mostly utilised in military or government settings, utilising the access levels of Classified, Secret and Unclassified.
Role-Based Access Control (RBAC)
The role-based access control model is designed to provide access control based on the position an individual fills in a business. Eg. an individual who works as a network engineer would be assigned permissions that their role as a network engineer actually requires, instead of sweeping global permissions.
This makes life easier for the system administrator since access controls can be grouped together in roles which makes large permission changes much faster.
Discretionary Access Control (DAC)
The discretionary access control model is the least restrictive when compared to the MAC model discussed above. This is because DAC allows individuals complete control over any data they own, along with any other programs associated with it.
This isn’t ideal as it gives the end user complete control over being able to set security level settings for other users and, even worse, the permissions the users is provided are inherited into other programs – which could lead to the end user executing malware that has more access than it should, leading to more damage.
Rule-Based Access Control (RBAC or RB-RBAC)
Rule-Based Access Control (RBAC) is a model in which access to resources is granted based on the defined rules and policies. These rules specify the actions that a user can perform on a resource. This, for example, could be used in a situation where a user should only have access to files during a certain period of time.
The main issue of this approach is that these extra rules may require being implemented into the network by the system administrator in the form of code.