Access Control models are an invaluable method of gate keeping for organizations of all sizes and backgrounds. To accommodate organizations of all kinds, there are several different types of access control models that can be configured to each organization’s unique needs.
What are the most common access control models? Access control models are commonly split into 3 main categories – Mandatory Access Control, Discretionary Access Control and Role-Based Access Control. There is now a 4th type becoming popular – Rule-Based Access Control.
What do each of these access control models entail, and what benefits do they offer users and administrators?
Discretionary Access Control
The discretionary access control system is the least-restrictive form of the access control models and allows the owner or administrator of the system complete control over who has access and permissions throughout the system. It often runs off common operating systems, such as Windows, and is generally easy to configure and control, using Access Control Lists and group membership to determine access to certain points.
The benefit to Discretionary Access Control is that the administrator can easily and quickly configure permissions, deciding who gets in and where, based on what they see fit. The downside is that this often gives too much authority to the administrator of the list, who can pass access on to inappropriate users who shouldn’t have access. It also leaves the system vulnerable to malware (such as Trojan horses) which can infiltrate the system without the user’s knowledge, as the user’s permissions are often inherited in other programs on the operating system.
Mandatory Access Control Systems
Mandatory access control, on the other hand, is the most restrictive form of the access control models, as it gives control and management of the system and access points to only the system owner or administrator. End users and employees have no control over permissions or access and can only access the points granted to them by the system owner. Furthermore, the administrator can only change settings as laid out by system’s parameters itself, which are programmed as such and cannot be circumvented.
All users are classified and labeled according to their permissions, and receive permissions to enter, access and exit certain points according only to their specified classification level. If the system owner wishes to grant higher-level access to a user, they generally must create a new profile and credential for that user, as their previous classification cannot be given any permissions not already specified in their profile.
Mandatory Access Control is most beneficial for facilities and organizations where maximum security and restriction are required, such as military and government facilities, but also in corporations where security and secrecy are valued.
Role-Based Access Control
Role-based access control (RBAC) is also known as non-discretionary access control and is one of the more popular forms in widespread use. RBAC assigns permission based on the position or role a user holds within the organization, and these pre-defined roles hold the appropriate permissions. For example, if a user is classified as “Project Engineer,” they will automatically receive the permissions entitled to Project Engineers within the system.
The benefit to this access control model is that it is quite simple to setup and use, especially for the system owner or administrator, who simply has to setup predefined roles with appropriate permissions. The limitations, however, are that if a user needs permissions they do not have, whether on a one-time or more permanent basis, the administrator must grant them permission outside their predefined role – which may nor may not be possible, depending on the exact configuration of the access control system.
RBAC is a great option for Cloud-based Access Control systems, where the the rules and permissions between users tend to be more dynamic and changing.
Rule-Based Access Control
The fourth common form of access control is Rule-Based Access Control – not to be confused with Role-based. Rule-based Access Control allows system owners and administrators to set rules and limitations on permissions as needed, such as restricting access during certain times of day, requiring a user to be in a certain location, or limiting access based on the device being used. Permissions can even be determined based on number of previous access attempts, last performed action and required action.
This access control model is good for enforcing accountability and controlling when and where employees have access to certain facilities. It’s very beneficial in that permissions and rules can be dynamic, allowing the system administrator to customize them for any number of situations and needs that may arise. Permissions can be determined in any combination criteria, allowing for countless configurations for almost any number of unique situations. It’s also great for multi-door access controls such as Brivo, Paxton, and Keyscan, where users may be restricted in which doors they can access.