Access Control Models
Compare RBAC, MAC, DAC, ABAC and understand when to use each
RBAC
Role-Based Access ControlAccess decisions based on user roles. Users are assigned roles, and roles have permissions. Most common in enterprise environments.
Key Characteristics
- Permissions assigned to roles, not users
- Users assigned to one or more roles
- Simplifies administration at scale
- Supports separation of duties
- Best for: Enterprise, structured orgs
MAC
Mandatory Access ControlSystem enforces access based on security labels. Users cannot change permissions - only admins can. Highest security, least flexibility.
Key Characteristics
- Classification levels (Top Secret, Secret, etc.)
- Enforced by OS/system, not users
- No discretionary sharing allowed
- Bell-LaPadula, Biba models
- Best for: Military, government, high security
DAC
Discretionary Access ControlResource owners control access. Users can share permissions at their discretion. Most flexible, but harder to audit.
Key Characteristics
- Owner decides who gets access
- Access Control Lists (ACLs)
- Flexible but decentralized
- Can lead to access sprawl
- Best for: File sharing, small teams
ABAC
Attribute-Based Access ControlAccess based on attributes (user, resource, environment). Most granular and dynamic. Complex to implement but very powerful.
Key Characteristics
- Evaluates multiple attributes
- Policies like "IF dept=HR AND time=business-hours"
- Context-aware decisions
- Supports zero trust architectures
- Best for: Cloud, dynamic environments
Rule-Based
Rule-Based Access ControlAccess determined by predefined rules, often based on conditions like time, location, or network. Used in firewalls and routers.
Key Characteristics
- Conditional access rules
- Often combined with other models
- Common in network security
- ACLs on routers/firewalls
- Best for: Network devices, time-based access
| Feature | RBAC | MAC | DAC | ABAC |
|---|---|---|---|---|
| Who Controls Access | Admins (via roles) | System/Policy | Resource Owner | Policy Engine |
| Flexibility | Medium | Low | High | Very High |
| Scalability | Excellent | Good | Poor | Excellent |
| Complexity | Medium | High | Low | Very High |
| Security Level | Medium-High | Very High | Low-Medium | High |
| Audit Trail | Good | Excellent | Difficult | Excellent |
| Least Privilege | Supported | Enforced | Hard to maintain | Dynamic |
| Context-Aware | No | No | No | Yes |
| Use Cases | Enterprise, healthcare, finance | Military, government, classified | File sharing, personal systems | Cloud, zero trust, dynamic |
Which Model Should You Use?
Describe Your Scenario
Recommendation
Configure your scenario and click "Get Recommendation"