5 Types of Access Control Models & Methods Explained

Access control models are an invaluable method of gatekeeping for organizations of all sizes and backgrounds. They serve as the backbone of security infrastructure, providing organizations with the means to regulate and manage access to their resources.

To accommodate organizations of all kinds, several different types of access control models can be configured to each organization’s unique needs. Keep reading to know how they shape security landscapes and safeguard valuable assets.

Have a security project?

5 Main Types of Access Control Models

1. Discretionary Access Control (DAC)

The discretionary access control system is the least restrictive of the access control models. It works based on a person’s own discretion and allows the system owner or administrator complete control over who has access permissions throughout the security system.

It often runs off common operating systems, such as Windows. It is generally easy to configure and control, using Access Control Lists and group membership to determine access to certain points.

The benefit of Discretionary Access Control is that the system administrator can easily and quickly configure access permissions, deciding who gets in and where based on what they see fit.

The downside is that this often gives too much authority to the access control list administrator, who can pass access on to inappropriate users who shouldn’t have access.

It also leaves the system vulnerable to malware (such as Trojan horses), which can infiltrate the system without the user’s knowledge, as the user’s permissions are often inherited in other access control models on the operating system.

2. Mandatory Access Control (MAC)

On the other hand, the mandatory access control model is the most restrictive of the access control models, as it allows only the system owner or administrator to control and manage the system and access points.

End users and employees have no control over user permissions or access and can only gain access to points granted to them by the system owner. Furthermore, the administrator can only change settings as laid out by the system’s parameters, which are programmed as such and cannot be circumvented.

All users are classified and labeled according to their permissions. They manage permissions to enter, assign access, and exit at certain points according to the security identifier and job title.

Suppose the system owner wishes to grant access to an end user (high-security level). In that case, they generally must create a new profile and credential for that user, as their previous classification cannot be given any permissions not already specified in their profile.

Mandatory Access Control is most beneficial for facilities and organizations where maximum security and restriction are required, such as military and government facilities, but also in corporations where security and secrecy are valued.

3. Role-Based Access Control (RBAC)

Role-based access control (RBAC), also known as non-discretionary access control, is one of the more popular forms in widespread use. RBAC assigns permission based on the position or role a user holds within the organization, and these pre-defined roles hold the appropriate permissions.

For example, if a user is classified as a “Project Engineer,” they will automatically receive permission from Project Engineers within the system.

The benefit of the role-based access control model is that it is quite simple to set up and use, and it simply has to set up pre-defined roles for users based on the administrator’s definition.

The limitations, however, are that if a user needs permissions they do not have, whether, on a one-time or more permanent basis, the administrator must grant or deny access outside their pre-defined role—which may or may not be possible, depending on the exact configuration of the access control system.

RBAC is a great option for Cloud-based Access Control systems, where user rules and permissions tend to be more dynamic and changing.

4. Rule-Based Access Control (RuBAC)

The fourth common form of access control is Rule-Based Access Control – not to be confused with Role-based.

Rule-based Access Control allows system owners and administrators to set rules and limitations on permissions, such as restricting access during certain times of day, requiring a user to be in a certain location, or limiting approved access on the device being used.

Permissions can be determined based on the number of previous access attempts, the last performed action, and the required action. This access control model is good for enforcing accountability and controlling access to certain facilities.

It’s very beneficial in that permissions and rules are dynamic, allowing the system administrator to customize them for any number of situations and needs that may arise.

Permissions can be determined using any combination of criteria, allowing for countless configurations for almost any number of unique situations. This is also great for multi-door access controls such as Brivo, Paxton, and Keyscan, where users may be restricted in which doors they can access.

Have a security project?

5. Attribute-based access control (ABAC)

Attribute-based access control (ABAC) is a dynamic access control model with access granted based on attributes associated with users, administrative resources, and environmental conditions.

Unlike traditional models, ABAC evaluates multiple attributes, such as user roles, time of access, and resource sensitivity, to make access decisions. 

Policies are defined using rules that specify conditions for access, enabling fine-grained control over permissions. ABAC enhances security by providing flexible, context-aware access control tailored to specific scenarios and requirements.

Table of Comparison

Access Control ModelDescriptionExampleFlexibilityGranularityScalabilityComplexity
Discretionary Access Control (DAC)Users control access; simple permissions setupFile/folder permissions on a computerLimited; controlled by usersLow; relies on user discretionLimited, especially in large organizationsRelatively simple
Mandatory Access Control (MAC)Central access controls on labelsGovernment security clearance levelsLow; strictly controlled by authorityMedium; based on security labelsModerate, suitable for specific needsModerate, requires careful planning
Role-Based Access Control (RBAC)Access assigned based on user rolesEmployee roles determining accessMedium; based on predefined rolesMedium to high; role-specific permissionsHighly scalable; ideal for large orgsModerate, especially in role setup
Attribute-Based Access Control (ABAC)Access is based on multiple attributesHealthcare data access based on role, location, timeHigh; decisions based on various attributesHigh; tailored to specific attributesHighly scalable; accommodates dynamic needsHigh, due to policy complexity
Rule-Based Access Control (RBAC)Access based on defined rulesFirewall rules for network trafficMedium; decisions based on rule conditionsMedium; based on rule setsHighly scalable; for specific rule-based needsModerate, especially in managing complex rules


What are the methods of access control?

Access control methods include various techniques for enforcing access control policies, such as authentication, authorization, and accounting (AAA). 

Authentication verifies users’ identities, authorization determines access requests and what resources they can access, and accounting tracks access events for auditing purposes.

Overall, an access control method can establish rules and mechanisms that dictate who can access what information, assets, or areas and under what conditions.

How does access control help enhance security?

Access control helps enhance security by ensuring that only authorized users or entities can access resources, reducing the risk of unauthorized access, data breaches, and security incidents.

Organizations can enforce security policies and protect sensitive information by implementing different types of access control methods and models.

Can access control models be integrated with existing systems? 

Yes, access control models can often be integrated with existing systems such as authentication servers, active directory services, and security appliances. Integration may involve configuring connectors, APIs, or interoperable protocols to enable communication between systems.

What are the benefits of using access control models? 

Using access control models helps organizations improve security by limiting access to authorized personnel, reducing the risk of data breaches and unauthorized users. They also enhance compliance with regulatory requirements and improve accountability by logging access events.

How do access control models contribute to cybersecurity? 

Access control models play a crucial role in cybersecurity by enforcing the principle of least privilege, ensuring that users only have access to resources necessary for their roles. This minimizes the attack surface and reduces the impact of security incidents.

Can access control models be customized? 

Yes, access control models can often be customized to fit the specific needs of an organization. Customization may involve defining additional access control rules, modifying existing policies, or integrating with third-party systems to extend functionality.

Final Words

The common access control models serve as essential gatekeepers for organizations of all sizes and industries, offering versatile solutions tailored to unique security needs.

Each access control model provides distinct advantages and considerations, from the flexibility of Discretionary Access Control to the strict oversight of Mandatory Access Control.

Role-Based Access Control simplifies permission management based on user roles, while Rule-Based Access Control offers dynamic control over access rules.

Attribute-Based Access Control enhances security by considering multiple attributes for access decisions. Each security model varies in flexibility, granularity, scalability, and complexity, catering to diverse organizational requirements.

Ready to take control of your security? Don’t wait any longer! Contact us now to schedule your access control installation. Protect your premises, assets, and peace of mind with our professional installation services. Get in touch today to get started!

Have a security project?

Do you have a security project?

About Us

Safe and Sound Security is a modern security system installation and low voltage cabling company serving residential and commercial customers for over a decade.

Do you have a
security project?


Are you looking to install a

Commercial Access Control System?

Get in touch with a Commercial Access Control System specialist today!