Access Control Schemes

DAC: Discretionary Access Control

• Least restrictive
• Each object has an owner
• Owner has discretion over who can access their objects

MAC: Mandatory Access Control

• Most restrictive
• All objects are assigned a classification label such as top secret
• All users are assigned a privilege label
• Labels exist in a hierarchy
• Permissions are granted by matching object and subject labels; subject must have an equal or higher level than the object to access

RBAC: Role-Based Access Control (aka Non-Discretionary Access Control)

• Permissions are assigned to roles in the organization
• Users are assigned to roles

Rule-Based Access Control (aka RB-RBAC: Rule-Based Role-Based Access Control)

• Objects have a set of access properties based on rules.
• The system dynamically assigns roles

ABAC: Attribute-Based Access Control

• This is similar to Rule-Based Access Control but uses more flexible policies that can combine attributes