Access control is the process by which use of resources and services is granted or denied. When implementing access control, one of several models can be used. The following table lists the most commonly used access control models:
|Mandatory Access Control (MAC)
||Mandatory access control uses labels for both subjects (i.e., users who need access) and objects (i.e., resources with controlled access, such as data, applications, systems, networks, and physical space).
- Classification labels, such as secret or top secret, are assigned to objects by the owner (usually a managerial or governmental entity).
- Clearance labels are assigned to subjects.
- When a subject's clearance lines up with an object's classification, and the user has a need to know (referred to as a category), the user is granted access.
- Access control is mandatory because access is based on policy (the matching of the labels) rather than identity. Owners can only assign labels; they cannot allow access to specific subjects.
|Discretionary Access Control (DAC)
||Discretionary access control assigns access directly to subjects based on the discretion (or decision) of the owner.
Many computer systems use discretionary access control to limit access to systems or other resources.
- Objects have a discretionary access control list (DACL) with entries for each subject.
- Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object.
- With discretionary access control, subjects can pass permissions on to other subjects.
|Role-Based Access Control (RBAC)
||Role-based access control allows access based on a role in an organization, not individual users.
- Roles are defined by job description or security access level.
- Users are made members of a role and receive the permissions assigned to the role.
|Rule-Based Access Control
||Rule-based access control uses characteristics of objects or subjects, along with rules, to restrict access.
- Access control entries identify a set of characteristics that will be examined for a match.
- If all characteristics match, access is either allowed or denied based on the rule.
- An example of a rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet (such as IP address or port number).
- Because rule-based access control does not consider the identity of the subject, a system that uses rules can be viewed as a form of mandatory access control.