Compare access control models (DAC, MAC, RBAC, ABAC, etc.)

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

Definition:
DAC is an access control model where the owner of the resource decides who can access it. The “discretionary” part means the owner has control.

Key points:

  • Resource owners assign permissions to users or groups.
  • Permissions include things like read, write, execute.
  • It’s flexible but can be risky if users give access incorrectly.

IT Example:

  • A database administrator creates a database and assigns read/write permissions to certain users.
  • A developer who owns a project folder can decide which teammates can read or edit files in that folder.

Pros:

  • Flexible and easy to implement.

Cons:

  • Less secure—permissions can be propagated incorrectly.

2. MAC – Mandatory Access Control

Definition:
MAC is a stricter model where the system enforces access control based on rules, labels, or classifications, not the owner.

Key points:

  • Users cannot change permissions; only admins or the system can.
  • Often uses security labels like Confidential, Secret, Top Secret.
  • Common in government and military IT systems.

IT Example:

  • A sensitive database is labeled “Secret.” Only users with “Secret” clearance can access it.
  • Even if the database owner wanted, they cannot allow a user without the proper clearance.

Pros:

  • Highly secure; reduces human error.

Cons:

  • Less flexible; more complex to manage.

3. RBAC – Role-Based Access Control

Definition:
RBAC assigns permissions to roles instead of individual users. Users gain access based on their role in the organization.

Key points:

  • Roles reflect job functions: Admin, Developer, Analyst, etc.
  • Users can have multiple roles.
  • Easier to manage in large organizations than DAC.

IT Example:

  • In a company:
    • Developers can read/write code repositories.
    • Testers can only read code repositories.
    • Project managers can only view progress reports.
  • Adding a new developer means assigning the “Developer” role instead of setting individual permissions.

Pros:

  • Scalable and easier to audit.
  • Reduces mistakes compared to DAC.

Cons:

  • Needs proper role definition upfront.

4. ABAC – Attribute-Based Access Control

Definition:
ABAC uses attributes (user, resource, environment) to make access decisions. It’s dynamic and context-aware.

Key points:

  • Attributes could include:
    • User attributes: department, role, clearance.
    • Resource attributes: type, sensitivity.
    • Environmental attributes: time of day, location, device used.
  • Policies define conditions under which access is allowed.

IT Example:

  • A cloud storage system:
    • A user from the HR department can access employee records only during office hours from a corporate device.
    • Access is denied if the same user tries from a personal device or outside working hours.

Pros:

  • Highly flexible and secure.
  • Useful in cloud and dynamic IT environments.

Cons:

  • Complex to configure and maintain.

5. Other Access Control Models You Might See

a. Rule-Based Access Control (RB-RBAC)

  • Similar to RBAC but uses rules instead of roles.
  • Example: Block all connections from a certain IP range.

b. Lattice-Based Access Control (LBAC)

  • Often used with MAC.
  • Users and resources have levels of sensitivity, and access is only allowed if levels match.

c. Context-Based or Risk-Adaptive Access Control

  • Dynamically adjusts permissions based on risk.
  • Example: Multi-factor authentication is required if a login attempt is from a new device.

Comparison Table

ModelWho ControlsHow Access is DeterminedProsConsIT Example
DACResource OwnerOwner assigns permissionsFlexibleLess secureFile owner grants read/write to colleagues
MACSystem/AdminSystem enforces labels/clearanceVery secureComplex, rigidSecret database access by clearance level
RBACAdminRoles define accessScalable, easy to manageNeeds role planningDevelopers can edit code; Testers read-only
ABACAdmin/SystemAttributes and policiesDynamic, context-awareComplex to maintainHR records accessible only during office hours, on corporate devices
Rule-BasedAdminSet of rulesAutomated, consistentRigidBlock IP ranges
Lattice-BasedAdminLevels & hierarchyStrict, secureHard to manageTop Secret document access only by Top Secret users

Exam Tips for 200-201 CBROPS

  • Know the difference between owner-controlled and system-controlled models: DAC = owner, MAC = system.
  • Remember RBAC is role-based; ABAC uses attributes and context.
  • Understand pros/cons and IT examples because questions may test scenario-based understanding.
  • Focus on security vs flexibility trade-offs: DAC is flexible but less secure; MAC is secure but rigid.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by