Access control is one of the most fundamental pillars of cybersecurity and operational governance in any organization. It defines who can access specific systems, applications, data, or physical resources, ensuring that only authorized individuals can perform permitted actions. Proper access control is essential for protecting sensitive information, maintaining business continuity, and meeting regulatory obligations.
Types of Access Control
Access control models define how permissions are assigned, enforced, and managed. Different organizations choose different models based on their security needs, operational structure, and compliance requirements.
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control (RuBAC)
- Risk-Adaptive Access Control (RAdAC)
- Identity-Based Access Control (IBAC)
- Context-Based Access Control
- Physical Access Control
- Logical Access Control
1. Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an access control model where the owner of a resource (such as a file, folder, or database entry) has full authority to decide who can access it and what kind of access they are allowed (read, write, execute, etc.).
Where DAC Is commonly used?
- Personal computers
- Small businesses
- Systems where collaboration and flexibility are more important than strict security
2. Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a highly strict and centralized access control model in which a central authority determines who can access specific data, systems, or resources. Permissions are assigned based on security classifications and clearance levels, and users cannot change or override these permissions.
Where MAC Is Used?
- Military and defense organizations
- Government agencies
- Critical infrastructure
- High-security environments with strict compliance requirements
3. Role-Based Access Control (RBAC)
RBAC is an access control model where permissions are assigned to roles rather than to individual users. Access is based on predefined roles such as Admin, Manager, HR Staff, Support Technician. RBAC ensures least privilege, ie, users get only the permissions needed for their job function. These permissions will change once they change their job role.
Common use cases are
- An HR role can access employee records, but not financial systems.
- A database administrator role has database access but cannot modify network settings.
4. Attribute-Based Access Control (ABAC)
ABAC is an access control model that determines authorization by evaluating attributes associated with users, resources, and the environment.
ABAC evaluates access requests using four main categories of attributes:
- User Attributes: User attributes describe characteristics of the individual requesting access. These attributes help define who the user is within the organization.
Examples: Department (e.g., HR, Finance), Job title (e.g., Manager, Analyst), Clearance level (e.g., Level 2)
- Resource Attributes: Resource attributes define properties of the object or data being accessed. These help determine how sensitive or restricted a resource is.
Examples: Data type (e.g., financial, personal), Classification level (e.g., public, confidential)
- Environment (Context) Attributes: Environment attributes capture external or situational factors that may affect access decisions. These attributes add contextual awareness to security policies.
Examples: Time of day, User location, IP address, Device type
- Action Attributes: Action attributes specify what the user intends to do with the resource.
Examples: Read, Write, Edit, Delete
5. Rule-Based Access Control (RuBAC)
Rule-Based Access Control is an access control model in which authorization decisions are made by evaluating a set of rules. Instead of focusing on who the user is, RuBAC focuses on whether the access request satisfies the defined rules. These rules often evaluate contextual or system-related factors and enforce organizational policies. RuBAC is commonly used alongside other access control models rather than on its own.
6. Risk-Adaptive Access Control (RAdAC)
Risk-Adaptive Access Control (RAdAC) is an access control model that makes authorization decisions based on real-time risk assessment. Instead of relying on static policies, RAdAC continuously evaluates risk factors and adapts access decisions accordingly.
RAdAC evaluates multiple risk indicators before granting access. If the risk is low, access may be granted normally. If the risk is elevated, access may be limited, require additional verification, or be denied entirely.
7. Identity-Based Access Control (IBAC)
Identity-Based Access Control (IBAC) is an access control model in which authorization decisions are based on a user’s unique identity. If the system recognizes and authenticates the user’s identity and that identity has been granted permission, access is allowed.
In IBAC, permissions are directly associated with individual users rather than roles, attributes, or contextual factors.
8. Context-Based Access Control (CBAC)
Context-Based Access Control (CBAC) is an access control model that makes authorization decisions based on contextual information surrounding an access request. Rather than focusing only on who the user is, CBAC evaluates when, where, and how access is requested.
9. Physical Access Control
Physical Access Control refers to mechanisms that restrict physical entry to buildings, rooms, or secured areas. Its primary goal is to protect people, equipment, and physical assets from unauthorized access.
Common Physical Access Control Methods
- Keys and locks
- ID badges and smart cards
- Biometric systems (fingerprint, facial recognition)
- Security guards and turnstiles
10. Logical Access Control
Logical Access Control governs access to digital resources, such as computer systems, networks, applications, and data. It ensures that only authorized users can access or perform actions within information systems.
Common Logical Access Control Mechanisms
- Usernames and passwords
- Multi-factor authentication (MFA)
- Encryption and session controls
Comparison between different types of access control types
Access Control Type | How It Works | Common Use Cases | Advantages | Disadvantages |
Discretionary Access Control (DAC) | Resource owner decides who gets access | Small businesses, personal devices | Flexible, easy to implement | Least secure, prone to misuse |
Mandatory Access Control (MAC) | Central authority assigns permissions based on security labels | Government, military, defense | Highly secure, strict enforcement | Inflexible, difficult to manage |
Role-Based Access Control (RBAC) | Permissions are assigned to roles; users inherit roles | Enterprises, corporate IT | Scalable, easy administration, reduces errors | Can get complex with too many roles |
Attribute-Based Access Control (ABAC) | Access based on attributes (user, resource, environment) and policies | Cloud systems, large enterprises | Fine-grained control, highly flexible | Policy creation and management can be complex |
Rule-Based Access Control | Predefined rules (time, IP, location) govern access | Firewalls, network security | Automates enforcement of policies | Rules may become complex over time |
Risk-Adaptive Access Control (RAdAC) | Access changes dynamically based on real-time risk levels | Adaptive/Zero Trust environments | Adjusts to threats in real time | Requires advanced analytics and monitoring |
Identity-Based Access Control (IBAC) | Permissions assigned to specific individuals | Small teams, unique-access roles | Simple, direct | Not scalable, high administrative overhead |
Context-Based Access Control | Considers context (device, location, behavior) | Zero Trust, cloud access | Strong protection against credential-based attacks | Requires continuous evaluation |
Physical Access Control | Controls physical entry to locations | Offices, data centers | Secures buildings and hardware | Needs integration with digital access control |
Logical Access Control | Controls digital system access (apps, databases, networks) | All modern organizations | Essential for cybersecurity | Requires regular updates and strong policies |
Summary
Access control is a mechanism that defines who can access systems, data, information, or physical devices and spaces, and what actions they are permitted to perform. By implementing proper access control, an organization can safeguard its information and sensitive data, prevent unauthorized access, and maintain compliance with security standards.