Ready to Start Your Career?

Types of Access Control

Gabriel Schram's profile image

By: Gabriel Schram

June 8, 2021

Human users are at the base of data protection. Therefore, determining who has access to certain resources is a major concern for organizations. Access control refers to which users and/or processes have access to specified resources within an organization or network. An access control list contains all of the rules for the varying levels of access to portions of a network or an organization's assets. Maintaining a solid access control policy is essential to organizations' data protection; this is customer data for some organizations.

Poor access control leads to users or employees having access to something they should not have access to; this could be in person or online. Determining which type of access control works for a given network or organization depends on several factors. Analyzing access control and its subsets is vital to rounding out secure data storage. This realization has led to the rise of several access control technologies, such as keypads, access cards, RFID, and other types of authentication. Access control can be separated into several different types with varying implementations. Four of the most recognized types of access control include mandatory, discretionary, attribute-based, and role-based.

Mandatory Access Control (MAC)

Mandatory access control (MAC) is a model that includes several layers of security clearance based on the user or employee. Users are assigned labels that will determine which objects they have access to. A central authority determines the level of access for users. MAC is a more strict type of access control method because it does not allow users to access or specify permissions to change any existing access control policies. MAC can also be implemented with need-to-know permissions. This means users that meet the clearance for a specified resource could be denied access because it is not needed for their role.

Discretionary Access Control (DAC)

Under discretionary access control (DAC), administrators/owners will have control of the protected system and create policies for which users will access them. Under DAC, every resource in the implemented system requires an owner. The owner will set the object's permissions. Once a user is given permissions, they could potentially provide access to others at their discretion. This method is convenient because there is little oversight needed from system administrators. However, a lack of oversight could also introduce serious risks.

Role-Based Access Control (RBAC)

Role-Based access control (RBAC) dictates resource access based on users' position in the organization or network. Under proper RBAC, users will only have access to what is needed for their job or their "role." This rule is also referred to as the principle of least privilege. If users need access to resources outside of their defined role, system administrators will need to approve it.

Attribute-Based Access Control(ABAC)

Attribute-based access control (ABAC) is a more dynamic model because it uses boolean logic based on attribute tags. This means the characteristics of an object or resource will be correlated with the user attempting to access it based on a series of if-then statements. Policy rules are determined by evaluating attributes for the subject (the user), the object (the resource), and their environment. Implementation of ABAC can become difficult when the number of attributes is large and environmental conditions vary. This could lead to an excess of potential combinations between the subject, object, and environment.

Access Control in Cybersecurity

The proper implementation of access control is essential to data protection, particularly in the workplace. Companies need to properly secure their employees' data and their customers' data to maintain confidentiality and integrity, which is why access control is so important to cybersecurity. Poor access control policies lead to the wrong people accessing resources they should not be able to. This is the difference between a secure environment and a major compromise or data breach from a vulnerability standpoint. Access control is set by rules and policies that distinguish objects and subjects related to the resource access of an organization or networktext in italic.

Determining which access control model works best for an organization greatly depends on the stored data's confidentiality and size. Organizations with stringent standards for information security and confidentiality are more likely to use MAC. Organizations that want more permissiveness and less interference from a system administrator are more likely to prefer DAC. RBAC and ABAC are more flexible access control methods because they offer more dynamic options in access control rules and policies. Whatever the case may be, the varying types of access control serve the same purpose: data protection while maintaining the necessary accessibility. Finding this equilibrium is the goal in choosing the right access control model.

References Martin, J. A. (2019). What is access control? A key component of data security. Retrieved from

Saydjari, S. (2018). Engineering trustworthy systems. New York: McGraw-Hill.

Schedule Demo