Access control is the cornerstone of information security. It represents the mechanisms used to enforce authorization, dictating who can access what resources under which conditions. Within the classic security paradigm of Authentication, Authorization, and Accounting (AAA), access control sits squarely at the authorization layer. By restricting access to sensitive data and systems, access control protects the confidentiality and integrity of digital assets. Architects must select and implement the correct access control model to protect systems against internal and external threats. Selecting the wrong model can lead to security breaches, operational paralysis, or runaway administrative costs. Modern security engineering recognizes four primary access control models. These are Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). Each model has unique structural mechanics, operational trade-offs, and specific situations where it excels. This article provides an in-depth, technical exploration of these four models. We will examine their underlying mechanics, compare their pros and cons, and illustrate their application through realistic architectural scenarios.
Before analyzing the individual models, we must define the abstract elements of any access control system. Every access control decision involves three key components:
The central component that mediates all access requests is the Reference Monitor. The Reference Monitor is an abstract design concept representing an entity that is tamper-resistant, always invoked, and simple enough to be thoroughly tested. It evaluates every access request against the defined security policy. The chosen access control model determines how the Reference Monitor evaluates these policy decisions.
Discretionary Access Control is a user-centric model where the owner of an object has total control over who is allowed to access it. In a DAC system, permissions are granted or restricted at the discretion of the object's creator or current owner.
Under the DAC model, every object has an owner associated with it.
The owner has the authority to define access rules for that object.
These rules are typically stored in an Access Control List (ACL) attached to the object, or inside an Access Control Matrix.
An ACL contains entries that map specific subjects to their permitted operations.
A classic implementation of DAC is found in Unix and Linux filesystems.
In Linux, every file and directory has an owner and a group.
The owner can modify the file permissions using the chmod utility.
This allows the owner to set read, write, and execute permissions for the owner, the group, and all other users.
Windows NTFS filesystems also use a DAC model, utilizing Access Control Lists containing Access Control Entries (ACEs) to manage user permissions.
DAC is highly popular in desktop operating systems and collaborative platforms due to several key advantages:
Despite its ease of use, DAC is unsuitable for high-security environments due to significant structural weaknesses:
Consider a modern marketing agency that uses a cloud-based document sharing platform like Google Drive or SharePoint. The agency has hundreds of projects, each containing briefs, design files, and client pitches. In this environment, speed and direct collaboration are essential. If every file share required a ticket to the IT helpdesk, the agency's work would grind to a halt. By utilizing DAC, the designers and copywriters who create the files can instantly share them with colleagues or clients. They can grant view-only access to clients while granting edit access to team members. If a client relationship ends, the owner can remove the client from the document's ACL. While this model exposes the agency to accidental data leaks if a user shares a folder publicly, the operational agility outweighs the security risk. This risk is managed using secondary administrative controls like data loss prevention software.
Mandatory Access Control is a system-enforced model where access decisions are based on security labels and clearances. Unlike DAC, users in a MAC system do not own resources in a way that allows them to share access. Only the system administrator can assign labels and define security policies.
In a MAC system, the Reference Monitor compares two sets of criteria:
These labels often include compartments or categories to enforce the principle of need-to-know. For access to be granted, the subject's clearance must dominate the object's classification. This dominance is defined by formal mathematical models.
The Bell-LaPadula model focuses on protecting the confidentiality of information. It enforces two primary rules:
The "No Write Down" rule prevents users with high clearances from accidentally or maliciously leaking classified information into lower-security files.
The Biba model focuses on protecting data integrity rather than confidentiality. It operates on the inverse of Bell-LaPadula:
This prevents untrusted data from contaminating highly trusted systems.
MAC is the gold standard for high-security systems due to its robust design:
The strength of MAC also represents its primary drawbacks:
Consider a military intelligence agency operating a multi-national database containing battlefield telemetry and satellite imagery. The database hosts information ranging from Unclassified logistical reports to Top Secret target locations. Personnel accessing the database have different clearances based on their rank and role. In this environment, a MAC system is mandatory. If an analyst with Secret clearance logs in, they cannot view Top Secret files. Furthermore, if they download a Secret file, they cannot copy its contents into an Unclassified log because the system enforces the "No Write Down" property. This prevents accidental leaks of secret data to the public internet, ensuring that national security is maintained.
Role-Based Access Control is an organization-centric model where access permissions are associated with specific job roles rather than individual users. Users are assigned to roles, and roles are granted permissions.
RBAC simplifies identity management by decoupling users from permissions. Instead of assigning access rights directly to a user, permissions are grouped into a Role. A user gains access to resources by being assigned as a member of that Role. RBAC architectures are categorized into four standard levels:
RBAC is the industry standard for enterprise applications due to its scalability:
RBAC faces limitations when dealing with fine-grained or contextual access requirements:
Consider an enterprise with 50,000 employees using a central HR management system. The system contains sensitive employee information, including salaries, performance reviews, and bank details. Managing individual permissions for 50,000 users is impossible. Instead, the organization defines roles:
A static Separation of Duties constraint prevents any HR Specialist from holding the Payroll Manager role. This setup ensures that no single user can create an employee record and immediately approve their own paycheck. When a new employee is hired, they are automatically placed in the "Employee" role based on their HR record. This automates provisioning and ensures consistency.
Attribute-Based Access Control is a policy-driven model that evaluates attributes of the subject, object, action, and environment to make real-time access decisions. It is the most flexible and granular access control model available.
ABAC represents a shift from static roles to dynamic, policy-based access. Instead of checking "What is the user's role?", the system checks "What are the attributes of this request?". ABAC uses four classes of attributes:
The architecture of an ABAC system is defined by the XACML standard. It contains the following key components:
ABAC provides unmatched capabilities for modern, distributed architectures:
The complexity of ABAC introduces implementation challenges:
Consider a global investment bank that exposes financial APIs to partners and internal mobile applications. The transaction APIs must be secured based on regulatory compliance, fraud prevention, and operational security. Using RBAC or DAC is impossible because permissions must adapt based on the transaction amount, the partner's compliance status, and the transaction's destination. The bank implements ABAC. They define a policy: "Allow transaction execution only if the Subject.PartnerTier is 'Gold', the Subject.RiskScore is low, the Object.TransactionValue is less than $100,000, and the Environment.Location is within the partner's registered country." If a partner tries to execute a $50,000 transaction from their approved office in London, the PEP gathers the attributes, the PDP approves it, and the transaction succeeds. If the same partner attempts the transaction from an IP address in a high-risk country, the environmental attribute triggers a policy violation, and the request is immediately denied. This occurs even though the partner's credentials and API key are completely valid.
Selecting the correct model requires comparing their operational characteristics. Architects must balance the need for security with the realities of administrative budgets and operational agility.
| Operational Dimension | Discretionary (DAC) | Mandatory (MAC) | Role-Based (RBAC) | Attribute-Based (ABAC) |
|---|---|---|---|---|
| Authority | Object Owner | System Administrator | System Administrator | Policy / Attribute Owner |
| Granularity | Coarse to Medium | Coarse (Labels) | Medium (Job roles) | Extremely Fine |
| Policy Type | Identity-based | Label-based | Role-based | Rules & Attributes |
| Administrative Overhead | Low | Extremely High | Medium | High (Initial setup) |
| Context Awareness | None | None | None | Extremely High |
| Flexibility | High | Low (Rigid) | Medium | High |
| Primary Use Case | Operating systems | Government / Defense | Enterprise IT | Cloud APIs / Zero Trust |
To guide the selection process, architects can follow this structured decision flow:
In the real world, organizations rarely rely on a single access control model. Instead, they layer these models to create a defense-in-depth architecture. A common pattern in modern enterprise applications is to combine RBAC and ABAC. The system uses RBAC to define broad, static boundaries. It then uses ABAC to perform fine-grained filtering based on runtime context.
A hospital network uses a hybrid model to protect Electronic Health Records (EHR). First, the system uses RBAC to determine user permissions. A user assigned the "Nurse" role can read and write patient files. A user in the "Billing Clerk" role can only read billing records. However, allowing all 5,000 nurses to read all patient records violates the principle of least privilege. To solve this, the hospital layers ABAC on top of the RBAC foundation. When a Nurse attempts to open a patient file, the system evaluates an ABAC policy: "Allow read access only if the Subject.Role is 'Nurse' AND the Subject.Department matches the Object.PatientDepartment AND the Subject.AssignedPatient matches the Object.PatientID." This hybrid evaluation prevents a nurse in the oncology ward from looking up files for a high-profile patient in the cardiology ward, unless they are actively assigned to that patient's care.
sequenceDiagram
autonumber
actor User as User Request
participant PEP as Policy Enforcement Point (PEP)
participant PDP as Policy Decision Point (PDP)
participant PIP as Policy Information Point (PIP)
participant Database as EHR Database
User->>PEP: Request patient record
PEP->>PDP: Forward request (User ID, Patient ID)
PDP->>PIP: Retrieve User Role & Department
PIP-->>PDP: User is Nurse, Dept: Oncology
PDP->>PIP: Retrieve Patient Department & Assigned Nurse ID
PIP-->>PDP: Patient Dept: Oncology, Assigned Nurse: User ID
PDP->>PDP: Evaluate Policy (Role && Dept && Assignment)
Note over PDP: Decision: ALLOW
PDP-->>PEP: Authorization Decision (Allow)
PEP->>Database: Query record
Database-->>PEP: Return record
PEP-->>User: Display record to userThis sequence shows how the PEP coordinates with the PDP and PIP. By fetching both static roles (RBAC) and dynamic associations (ABAC), the system makes a secure, contextual decision.
Understanding access control models is essential for building resilient security architectures. Discretionary Access Control offers the simplicity needed for collaborative environments but lacks control. Mandatory Access Control provides maximum confidentiality for military systems but introduces rigidity. Role-Based Access Control scales corporate access management by aligning permissions with job roles. Attribute-Based Access Control represents the future of identity and access management. ABAC provides the granular, context-aware policy enforcement required by Zero Trust architectures. By analyzing the pros, cons, and use cases of each model, security engineers can design hybrid systems. These hybrid systems minimize administrative complexity while protecting critical assets from unauthorized access.
Love it? Share this article:
AuthenticationSoftware Tokens in Authentication: Synchronous vs Asynchronous Authentication Methods
Learn how software tokens work in modern authentication systems, the differences between synchronous and asynchronous token mechanisms, real-world use cases, security considerations, and implementation best practices.
Jun 18, 2026Cybersecurity
cloudHacking the Cloud: Exploiting Misconfigurations and Identity Flaws
A deep dive into how attackers compromise cloud environments through misconfigurations and identity management weaknesses, with examples, attack paths, and defense strategies.
Aug 8, 2025Cybersecurity