DAC, MAC AND
RBAC MODELS
�INTRODUCTION
NOBODY IN AN ORGANIZATION SHOULD HAVE FREE REIN TO
ACCESS ANY RESOURCE. ACCESS CONTROL IS THE COMBINATION
OF POLICIES AND TECHNOLOGIES THAT DECIDE
WHICH AUTHENTICATED USERS MAY ACCESS WHICH RESOURCES.
SECURITY REQUIREMENTS, INFRASTRUCTURE, AND OTHER
CONSIDERATIONS LEAD COMPANIES TO CHOOSE AMONG THE
THREE MOST COMMON ACCESS CONTROL MODELS:
1) DISCRETIONARY ACCESS CONTROL (DAC)
2) MANDATORY ACCESS CONTROL (MAC)
3) ROLE-BASED ACCESS CONTROL (RBAC)
�Discretionary Access
Control (DAC)
Discretionary Access Control (DAC) is a type of access control system that gives control to the
owner, over any objects they own, to grant or restrict access, and is usually the default option for
access management.
Each entry point in the system has an Access Control List (ACL) that has information about access
permissions, that are based on specific rules.
The DAC is the least restrictive model as compared to the other types because the owner of the list
can transfer authenticated access to other users. The end-users have complete control over the
system and can determine the access type of other users and transfer ownership.
In simple terms, DAC is only restricted by the level of security and safety that the owner wishes to
practice.
� The benefit to this flexible system is that the end-users
can easily change and configure access permissions
based on what they think is right. The drawback is
that it often gives too much authority to them, and
they can knowingly or unknowingly pass access to
inappropriate users, leaving the system in a
vulnerable state.
The DAC system is a good choice for smaller setups
since it offers convenience and simplicity, and is the
least restrictive access control type.
For larger buildings with lots of users, Discretionary
Access Control (DAC) might not be the best choice for
the same reasons it’s great for smaller premises. The
lack of complexity and control make it unsuitable for
larger setups.
�Mandatory Access Control
(MAC)
The Mandatory Access Control (MAC) is on the opposite end of the access control
spectrum and is the most restrictive form of access control.
As opposed to the DAC, the MAC is firmly controlled by policies, the operating
system, and only the system owners and administrators, making it impossible for
end-users and employees to control or change access permissions.
The MAC system classifies all end-users based on settings created by the system
administrator. It provides them with labels established with security guidelines
that either grant or deny them access to an area.
� If the system administrator wishes to change a user’s access permissions, it
would require them to create a new profile and credentials for the said user
since their previous classification wouldn’t allow permissions not specified in
the old profile.
Due to its strict control, Mandatory Access Control (MAC) is usually
implemented in buildings that have confidential information to protect and
require a high level of security such as military institutions and government
organizations.
�Role-Based Access
Control (RBAC)
Role-Based Access Control (RBAC), also called non-discretionary access
control, gives access permissions to users based on their roles within the
organization by administrators who manage and administer them.
Instead of assigning access permissions to multiple individuals, the system
administrator assigns access to specific job titles. Permissions are granted
according to the roles and the roles are assigned to the users.
For example, rather than assigning access permissions to an individual who is
a project manager, access permissions are assigned to the project manager
position.
� The simple setup and ease-of-use of the system have made the RBAC the
most popular access control system, especially for system owners and
administrators in both residential and commercial properties.
