What is Access Control?

Access control is the process of authenticating a user, and governing the rules that dictate their access to digital assets within a system. There are several models that establish how an end-user accesses and edits data in a given software environment.

There are four common types of access control: Mandatory Access Control (MAC), Role-based Access Control (RBAC), Discretionary Access Control (DAC), and Attribute-based Access Control (ABAC). Let’s explore each in more detail:

Mandatory Access Control (MAC)

The Mandatory Access Control (MAC) access model gives the owner or a superuser/admin the power to manage who has access to what. In this case, the end user has no control over settings that govern access. There are 2 MAC models that are employed. The first, the Biba model, allows end users to “read up,” or view data at a higher level of privilege, and “write down,” or edit data with a lower level of privilege. The second model, Bell-LaPadula, was designed for government organizations to have stricter protocols. In Bell-LaPaula, end users can “write-up,” or edit at that level and no lower, and “read-down”, or view data at a lower level of access.

Role-based Access Control (RBAC)

The Role-based access control (RBAC) model limits entry to systems and resources based on a user’s “role.” The goal of RBAC is to prevent security breaches and protect critical systems by managing identity roles and privileges.

Traditional RBAC restricts access to individual resources and assigns a user to a pre-defined role, often based on job function. The role can access or change the data in the resource assigned to it but cannot access resources not assigned to the role.

Typically, RBAC is defined with high-level, coarse-grained access controls which allow organizations to quickly and easily define permissions over a breadth of resources. While this makes coarse-grained RBAC easier to implement, it doesn’t allow for the more precise, code-level restrictions required by many regulations to prevent accidental disclosures and maintain data privacy and security.

Legacy RBAC systems rely on static user identities. Each job function may have a corresponding role that will always have permission to access the same resources. The hardware’s capabilities limit on-premises infrastructure. An on-premises server has a limited amount of memory, and stored applications rarely change, creating static, role-based identities.

For example, anyone with the role of “manager” can always edit data. However, digital transformation lacks that limitation. Organizations use cloud-based infrastructures because they scale based on your needs at the time. If you need additional storage or expect further activity, you can increase your cloud usage for a short period. In a modernized environment, identity needs to be dynamic because the infrastructure is dynamic.

Discretionary Access Control (DAC)

The Discretionary Access Control (DAC) access model has the least amount of restriction because it allows end users to create rules that specify who has access to what. Users have complete control over any asset they “own” as well as the applications they use. It gives the end user the ability to change security settings and control what others have access to.

Attribute-based Access Control (ABAC)

The Attribute-based Access Control (ABAC) model helps you create detailed access definitions that link a user’s role to context, such as resources, IT environment, or user location. Detailed privileges, also called “fine-grained entitlements,” create multi-dimensional access controls that go beyond application access and define the accessible resources within the application.

With ABAC, you create a central identity governance and access administration policy that focuses on attributes and context. This can include user job function or time of day and resource attribute, object, or environment. Using ABAC within complex on-premises, hybrid, and cloud-based infrastructures allows you to establish an “if, then” approach to providing access to resources within your ecosystem. Unlike RBAC, which uses generalizations to grant access, ABAC allows you to create sophisticated restrictions that improve data privacy.

ABAC allows you to restrict access and grant access on a more detailed level. With ABAC, you can use “if/then” statements that define how users interact with resources. Instead of giving a user multiple roles, you can tie access to a resource to an attribute value.

For example, “If user’s <department> is HR, grant access to the HR Application.” You can also create broader definitions for the HR Manager users, such as “If user’s <title> is Manager, grant access to all HR, Training Application, and Payroll Application.” Two defined sets of attributes now grant the appropriate level of access to sensitive information.