Access Control, which should you use?

Access control is a security measure that determines who is allowed to enter or access a certain area or system. You have several different types of access control models that can be used to control access to systems in various settings, including physical spaces and computer systems. If you’re developing an application, you should know what controls exist and which should be used.

Discretionary Access Control (DAC)

Discretionary access control (DAC) is a model that allows the owner of a resource (typically a file) to decide who (user or group) can access it. In this model, the owner of the resource (typically the creator) has the discretion to grant or revoke access to specific users or groups. DAC is often used in personal computer systems, where the owner of the system can decide which files and programs other users are allowed to access. You would typically see this used in small business environments, or on home computers with more than one users sharing files.

For example, if you own a personal computer and you have several files stored on it. Under a discretionary access control model, you have the discretion to decide which files other users are allowed to access. For example, you might allow one of your teammates to access a project file, but not your other coworkers that don’t need to see the private information.

In this example, you are the owner of the resource (the computer and the files stored on it) and you have the discretion to grant or revoke access to specific users. This is an example of discretionary access control in action.

Mandatory Access Control (MAC)

Mandatory access control (MAC) is a model that enforces strict rules for access based on a user’s clearance level and the sensitivity of the resource. In this model, access to a resource is determined by the system and cannot be changed by the owner of the resource. MAC is often used in military and government systems, where the security of sensitive information is of high importance.

For example, if you work for a government agency and you have access to classified information. Under a mandatory access control model, your access to this information is determined by your clearance level and the sensitivity of the information. For example, you might have a “Top Secret” clearance, which allows you to access information that is classified as “Top Secret,” “Secret,” and “Confidential.” However, you would not be able to access information that is classified as “Top Secret/SCI” (Sensitive Compartmented Information) unless you have a specific SCI clearance.

SELinux would be another example of MAC. Processes running on a web server can be labeled with a certain access. The web server can be labeled with apache, allowing it to access the files/folders needed to serve up incoming requests. However, if the server tries to access a resource on the system that doesn’t allow that label (e.g. passwd) then it would be denied based on that label.

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is a model that grants access based on a user’s role or job function. In this model, users are assigned to specific roles, and each role is given certain permissions to access certain resources. RBAC is often used in large organizations where there are many users and multiple levels of access.

Imagine that you work for a large company with multiple departments and multiple levels of access. Under a role-based access control model, you and your coworkers are assigned to specific roles, and each role is given certain permissions to access certain resources. For example, you might be a customer service representative, which gives you access to the customer service database and the company’s CRM system. However, you might not have access to the company’s financial records or HR files, as these resources are only accessible to employees in specific roles, such as finance managers or HR managers.

Rule-Based Access Control (RBAC)

Rule-based access control (RBAC) is a model that uses specific rules to determine which users are allowed to access a resource. In this model, access is granted or denied based on the evaluation of a set of rules that define the conditions under which access is permitted. RBAC is often used in systems where the access requirements are complex and dynamic.

Imagine that you work for a healthcare organization and you have access to patient records. Under a rule-based access control model, access to patient records is granted or denied based on the evaluation of a set of rules that define the conditions under which access is permitted. For example, one rule might state that only healthcare providers with a valid medical license are allowed to access patient records, while another rule might state that patients are only allowed to access their own records.

Identity-Based Access Control (IBAC)

Identity-based access control (IBAC) is a model that grants access based on a user’s identity. In this model, access is granted or denied based on the user’s identity, which is often verified through the use of a username and password. IBAC is often used in online systems, such as websites and cloud-based applications.

For example, if you use an online banking app to access your account. Under an identity-based access control model, you are granted access to your account by verifying your identity using a username and password. When you enter your username and password, the system checks to ensure that they match the credentials stored in the system. If the credentials match, you are granted access to your account. If the credentials do not match, access is denied.

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) is a model that grants access based on a user’s attributes or characteristics. In this model, access is granted or denied based on the evaluation of a set of attributes, such as the user’s location, role, or clearance level. ABAC is often used in complex systems where access requirements are based on multiple factors.

Imagine that you work for a company that has a secure database containing sensitive information. Under an attribute-based access control model, access to the database is granted or denied based on the evaluation of a set of attributes, such as the user’s location, role, or clearance level. For example, a user with a “Top Secret” clearance and the role of “Security Manager” might be granted access to the database from any location, while a user with a “Confidential” clearance and the role of “Project Manager” might only be granted access to the database from specific locations.

Lattice-based access control

Lattice-based access control (LBAC) is a model that grants access to resources based on a user’s position in a hierarchical lattice structure. In this model, each user is assigned a security clearance level and each resource is assigned a sensitivity level. Access is granted or denied based on the relationship between the user’s clearance level and the resource’s sensitivity level.

For example, in a lattice structure with three levels (low, medium, and high), a user with a “medium” clearance might be granted access to resources with “low” and “medium” sensitivity, but not to resources with “high” sensitivity. Similarly, a user with a “high” clearance might be granted access to all resources, regardless of their sensitivity level.