Access controls are mechanisms that manage how resources are accessed and by whom. Here are some common types of access controls:
- Role-Based Access Control (RBAC)
Permissions are assigned to specific roles rather than to individuals. Users are then assigned to these roles.
E.g. In a company, there might be roles such as “Manager” and “Employee”. The “Manager” role might have access to confidential reports, while the “Employee” does not.
- Attribute-Based Access Control (ABAC)
Access is granted based on attributes (characteristics) of users, resources, and the environment.
E.g. A system may grant access to a file only if the user’s department is “HR” and file’s sensitivity level is “low”.
- Mandatory Access Control (MAC)
Access us determined by a central authority based on security policies. Users cannot change these controls.
E.g. In government or military settings, access to documents is often based on clearance level (e.g. “Top Secret”)
- Discretionary Access Control (DAC)
Access is granted by the owner of the resource. The owner can set permissions as they see fit.
E.g. A user creates a document and grants read and write access to specific colleagues.
- Rule-Based Access Control
Access is based on a set of rules defined by the system administrator. These rules specify conditions under which access is granted.
E.g. Access to the office network is only granted during working hours (9 AM to 5 PM)
Systems can often use multiple access control mechanism to enhance security.
For example Windows uses DAC for folder permissions, RBAC is implemented in Active directory for managing user roles and permissions, and MAC in the feature MIC (Mandatory Integrity Control) is used to enforce data and process integrity by assigning integrity levels (IL) to processes, files, and other objects.
