Access Control Models

This post summarizes access control models, as considered in cybersecurity and access control.

Acccess Control Concepts

Permission refers to the access granted for an object and determine what you can do with it.

Right refers to the ability to take an action on an object

Privilege is the combination of right and permissions.

Authorization Mechanisms

Authorization mechanisms:

  • Implicit Deny
  • Access Control Matrix
    • Access Control Lists
  • Capability Table
  • Constrained Interface
  • Content-Dependent Control
  • Context-Dependent Control
  • Need to Know
  • Least Privilege
  • Separation of Duties and Responsibilities

Access Control Matrix

An access control matrix is a table that lists objects, subjects, and their privileges.

Access Control Matrix covers access control lists (ACLs).

Access Control List (ACL)

An access control list (ACL) focus on objects and which subjects can access them.

ACL are object-focused. It follows the rule-based model.

Capability Table

A capability table lists subjects and what objects they can access. the privileges assigned to subjects and identify the objects that subjects can access.

List of Access Control Models

  • DAC
  • RBAC
    • TBAC
  • RuBAC
  • ABAC
  • MAC
  • RiBC
  • IBAC
  • HBAC
  • RAC
  • OrBAC
  • ReBAC

ISC2’s CISSP certification only considers the first six as access control models, it means:

  • DAC
  • RBAC
    • TBAC
  • RuBAC
  • ABAC
  • MAC
  • RiBC

A nondiscretionary access control is one that is different to discretionary access control (DAC).

Discretionary Access Control (DAC)

Discretionary access (DAC) allows object owners to determine access to the objects.

It allows users to assign, pass or delegate rights to other subjects.

An ACL follows the DAC model.

Role-based Access Control (RBAC)

Role-based control (RBAC) is used to assign permissions based on job or function.

It is often group-based.

It is related to task-based access control (TBAC).

Task-based Access Control (TBAC)

Task-based access control (TBAC) model assigns an array of tasks to each user.

Rule-based Access Control (RuBAC)

In a rule-based access control (RuBAC) permissions or rights are granted based on parameters like an IP address, time, or other specific details that match requirements.

An example of rule-based is a firewall’s ACL.

Attribute-Based Control (ABAC)

Attribute-Based Access Control (ABAC) is called sometimes policy-based access control.

It considers four categories of attributes:

  1. Subject attributes (like department or title)
  2. Action attributes (like the ability to view, edit, or delete)
  3. Object attributes (that describe the object that can be impacted)
  4. Contextual attributes (like location, time, or elements)

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is sometimes referred as latticed-based model.

In this model, all objects and subjects have a label.

In a MAC system, the operating system (OS) enforces access control, and user cannot delegate rights.

An example of MAC is Biba security model.

Risk Based Control (RiBC)

An example of RiBC is NAC.

Intent-based Access Control (IBAC)


Host-based Access Control (HBAC)


Resource Access Control (RAC)


Organisation-based Access Control (OrBAC)


Relationship-Based Access Control (ReBAC)


Access Control Data Formats

The authentication data standard featured on this post is:


eXtensible Access Control Markup Language (XACML) is used to describe access controls.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *