Access control refers to the control of access to system resources from a user. The identity of the user must be authenticated and access to the system has been granted. Access control is used to identify a user/system (subject) that request access to a resources(object) and to authorise the subject to access an object (data/resource). In the field of cybersecurity one will often come across the terms like permissions, rights, and privileges. These terms can be used interchangeably, but they don’t always mean the same thing.
There are four types of Access Control Model:
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Mandatory Access Control (MAC)
Rule-Based Access Control(Rule-BAC)
Discretionary Access Control (DAC)
Discretionary access controls (DACs) allows the owner, creator, or data custodian of an object to control and define access right a subject has over an object. All objects have owners, and access control is based on the discretion or decision of the owner. For example, if a user creates a new spreadsheet file, that user is the owner of the file. As the owner, the user can modify the permissions of the file to grant or deny access to other users. Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities.
A DAC model is implemented using access control lists (ACLs) on objects. Each ACL defines the types of access granted or denied to subjects. It does not offer a centrally controlled management system because owners can alter the ACLs on their objects at will. Access to objects is easy to change, especially when compared to the static nature of mandatory access controls.
Role-Based Access Control (RBAC)
Role-based access control (sometimes calls task-based access controls) define a subject’s ability to access an object based on the subject’s role or assigned tasks. Role-based access control is often implemented using groups.
If an organisation onboards a new employee, administrators simply add the new employee’s account into the appropriate group and the new employee automatically has all the same permissions as other employees in this group. This helps enforce the principle of least privilege by preventing privilege creep. Privilege creep is the tendency for privileges to accrue to users over time as their roles and access needs change.
Role-based access controls are useful in dynamic environments with frequent personnel changes because administrators can easily grant multiple permissions simply by adding a new user into the appropriate role. It’s worth noting that users can belong to multiple roles or groups.
Mandatory Access Control (MAC)
A mandatory access control (MAC) model relies on the use of classification labels. Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret, and the MAC model would protect all objects with the Secret label in the same manner. Subjects are only able to access objects with the Secret label, when they have a matching Secret label. Additionally, the requirement for subjects to gain the Secret label is the same for all subjects. Users have labels assigned to them based on their clearance level, which is a form of privilege. Similarly, objects have labels, which indicate their level of classification or sensitivity. For example, the U.S. military uses the labels of Top Secret, Secret, and Confidential to classify data.
Administrators can grant access to Top Secret data to users with Top Secret clearances. However, administrators cannot grant access to Top Secret data to users with lower-level clearances such as Secret and Confidential.
Rule-Based Access Control(Rule-BAC)
A rule-based access control (rule-BAC) uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about rule-BAC models is that they have global rules that apply to all subjects. One common example of a rule-BAC model is a firewall.
Firewalls include a set of rules or filters within an ACL, defined by an administrator. The firewall examines all the traffic going through it and only allows traffic that meets one of the rules.
References
Certified Information Systems Security Professional Study Guide, Seventh Edition