4 types of access control: what you need to know + how to implement
Learn about the 4 main types of access control, how they work and how to choose the right one for your company.
As more organizations move their operations to the cloud and embrace remote or hybrid work, access control is more important than ever, particularly when it comes to preventing cyberattacks. It’s what determines who gets into your network, system, or data and what they’re allowed to do once in.
Access control is primarily used to restrict access to valuable resources from unauthorized users, hackers, and thieves. And while it can’t block every single threat, it’s quite effective at preventing data breaches, preserving confidentiality, and maintaining data integrity.
There are different types of access control and an organization's choice often hinges on factors like its size, IT resources at its disposal (both expertise, and infrastructure), and its security needs.
In this article, we’ll review the different types of access control, how they work, their pros and cons, and walk you through how to choose the right type for your organization’s needs.
What is access control?
Access control is a security process that determines who can access certain resources (files, folders, apps, programs, etc.) and what they can do with them. It’s used to restrict access to sensitive data and apps to only authorized users.
Access control involves assigning users or groups (could also be devices) different permissions to access resources based on predefined rules. These rules are based on a wide range of factors, including the role of the user, how sensitive the resource is, and the type of resource, among others.
In certain industries, access control is a regulatory compliance requirement used to enforce regulatory standards such as HIPAA in health industries or PCI DSS in organizations that handle financial data.
Access control relies heavily on authentication.
In fact, access control begins with authentication. First, the user is authenticated to verify their identity (i.e. are they who they say they are). This process typically involves checking credentials (like usernames/emails and passwords), passkeys, or authentication tokens. Then, the authenticated user is allowed to access resources if they have the right permissions. This is essentially what access control entails.
Types of access control
There are four main types of access control:
- Discretionary access control (DAC) allows resource owners to control access.
- Role-based access control (RBAC) assigns system access to users based on their role in an organization.
- Mandatory access control (MAC) uses a classification system to determine who can access what.
- Attribute-based access control (ABAC) uses user, resource, and environment attributes to control access.
Discretionary Access Control (DAC)
In Discretionary Access Control (DAC), each resource (such as a file, directory, or program) has a specified owner. The owner is usually the person who creates the resource, although ownership can be transferred or assigned to someone else.
The owner has full control over the resource and can decide who else can access it and what they can do with it (read, write, execute, etc). They’re also free to revoke access or change permissions, at any time.
DAC does not have a centrally managed access control schema – permissions are managed individually for each resource, by the respective owners.
An example of DAC that you’re probably familiar with is the share feature on Google Docs. If you create a document, you can not only share it with other users but you can also assign them roles (viewer, commenter, or editor).
For small organizations, with even smaller IT teams, DAC allows team leads to grant access to relevant team members and external collaborators (like freelance designers) without needing to call IT.
Pros of DAC
- Flexibility: Resource owners can easily grant and revoke access permissions. It’s pretty straightforward to add or remove users or change their level of access as needed.
- Simplicity: DAC systems don’t need complex policies or central administration to implement – users directly manage access rights themselves. For small organizations, DAC lifts the burden of having to manage access to every resource from IT teams.
Cons of DAC
- High-security risks: DAC systems are notoriously prone to data leaks. A user with sufficient access rights can make unauthorized changes or grant access to unauthorized users. Sometimes, the data leak may not even be intentional, especially for non-technical folks who may not know how access control works. They may end up accidentally sharing sensitive files with everyone instead of a specific group, for instance.
- It doesn’t scale well: In DAC, access is managed individually and becomes impractical as the number of resources increases. For example, when a new employee joins a company and requires access to multiple documents owned by different people, coordinating this access in a DAC system can be a total time drain – each document owner must individually grant access.
- Propensity for permission creep: Over time, users might accumulate more permissions than they need for their current role, a phenomenon known as "permission creep." This usually happens because permissions are added as users require access to new resources but are not revoked when no longer needed. In a DAC environment, where users or resource owners manage permissions, tracking and auditing permissions to prevent permission creep can be extremely challenging at scale.
- Lack of centralized control: DAC systems lack a centralized directory of resources and access permissions. This makes it tough to enforce uniform security policies across the organization. It becomes nearly impossible to ensure everyone has the appropriate access level.
- Challenges in role changes and user offboarding: In a DAC system, updating access rights when users change roles or leave the organization can be labor-intensive and prone to oversight – access needs to be revoked and granted per resource. It’s not uncommon for employees to continue having access to company resources long after termination.
Generally, DAC is ideal for non-critical data like user-generated documents, data even if leaked wouldn't be damaging. However, for high-security environments, it's safer to have system admins handle access control.
Mandatory Access Control (MAC)
Mandatory access control (MAC) restricts access to resources based on security labels. It uses a hierarchical approach – each resource is labeled with a security classification (e.g. confidential, secret, top secret) depending on how sensitive it is.
Similarly, users and devices are given security clearances that match these classifications. And, they’re only allowed access to a resource if their clearance level is equal to or higher than the resource's classification.
Unlike DAC systems, access decisions are not left to the discretion of individual resource owners. Instead, they are centrally managed by an authority, usually an IT admin, based on predefined security policies – rules and guidelines set by an organization to classify data and control access. They determine how data is labeled (e.g. confidential, secret, top secret) and the corresponding clearance levels required for access.
For example, a policy might state only employees with 'top secret' clearance can access top secret documents.
Users can’t modify these policies. Because of this rigidity, MAC is commonly used in government and military environments.
Pros of MAC
- Enhanced security: Once security policies are set, users cannot modify them or grant access to any other users, even for the resources they create. Access has to be set by a central authority.
- High level of data integrity and confidentiality: MAC systems enforce the Principle of Least Privilege (PLP). Users are on a need-to-know basis – they only access data absolutely necessary for their job which significantly reduces unauthorized data exposure or modification.
Cons of MAC
- It’s rigid: MAC struggles with temporary access needs for higher-level data. While there are workarounds, like resource reclassification or temporarily changing user clearance level, they conflict with MAC's fundamental principle of sticking strictly to set security protocols.
- Administrative overhead: MAC requires intensive upfront planning to properly classify every resource and assign users clearance. It’s usually a never-ending task of regularly checking and updating classifications and categorizations.
For most organizations, MAC alone is too restrictive.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) uses roles to determine access. These roles (HR Manager, IT Manager, Intern, Sales Rep, etc.) are defined based on the organization’s structure and operational needs and represent a set of responsibilities and duties.
In RBAC, permissions are assigned to roles, not to users directly. Users inherit permissions based on their assigned roles.
This assignment is usually based on the user’s job. For instance, someone hired as an HR Manager would be assigned the "HR Manager" role in the RBAC system.
Many RBAC systems support role hierarchies, where more senior roles inherit the permissions of junior roles. For example, a “Senior Manager” role might automatically include all the permissions of the “Manager” role. Some systems even allow users to have more than one role.
RBAC is quite simple to implement – It’s easy to map access to an organization’s structure. However, it can be a pain to manage in organizations where roles change frequently or employees wear multiple hats.
Pros of RBAC
- Efficient management of permissions: It’s easy to handle changes like employees joining, leaving, or moving within the organization. Instead of reconfiguring the permissions for each user, admins simply update the user’s role assignments.
- Scalability: As an organization grows or departments get restructured, new roles can be added, modified, or removed. It’s also easier to assign access en masse – admins can quickly grant or modify access for groups of users simultaneously.
- Consistent permissions: RBAC ensures all users with the same role have identical access rights which reduces inconsistencies where some users have more access rights than their role requires.
Cons of RBAC
- Role proliferation: Over time, the number of roles can grow excessively, leading to role proliferation. The system can become cluttered, making it hard for admins to keep track of what permissions each role has.
- Limited scope: In organizations, where job roles are not well-defined or employees frequently switch roles or take on multiple roles, RBAC may be too rigid – admins would need to change an employee’s role every time they take on a project outside their usual role.
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC), also known as policy-based control, makes access decisions based on a combination of attributes of the user (like department, job title), the resource (like confidentiality level, owner), and the current environment (like time of access, location).
For example, a policy might state that only employees from the 'Finance' department can access files marked as 'Financial' during business hours. The ABAC system evaluates all relevant attributes in real-time to determine whether the user can get access.
Users can have a limitless number of attributes assigned to them, and unlike in RBAC, these attributes don’t have to be tied to their jobs. Because of this, ABAC offers a more fine-grained level of granularity not possible with the other access control types we’ve discussed so far. It’s therefore extremely flexible as policies can be tailored to the specific needs of each user.
Some practical uses of ABAC are:
- Government systems that must consider citizenship, security clearance, and other attributes to determine access.
- Healthcare systems where patient data access depends on attributes like a user’s job role, relationship to the patient, and reason for accessing the data.
- Education systems that grant access based on attributes such as student/teacher status, grade level, and course enrollment.
Pros of ABAC
- Fine-grained access control: ABAC provides highly granular control over access to resources. It allows for precise definitions of access rules based on multiple attributes of users, resources, and the environment. This granularity ensures that users have access to exactly what they need, no more and no less.
- Flexibility and adaptability: Policies can be updated without the need to reconfigure the entire access control system.
- Dynamic policy enforcement: ABAC can make access decisions in real time, taking into account the current context including factors like time of day, user location, or current network threat level.
Cons of ABAC
- Complex policy management: Perhaps, one of the biggest challenges of ABAC is the complexity involved in defining and managing access control policies. As the number of attributes increases, policies become more complex and the system becomes difficult to manage and understand. This complexity can lead to errors in configuring and assigning policies and potentially cause security vulnerabilities.
- Implementation challenges: Setting up an ABAC system requires a deep understanding of what kind of access control the organization needs and a thorough mapping of attributes and policies.
How to choose the right access control for your needs
When picking an access control system, think about:
- Who needs access? Are there different levels of access for various user groups? If you have different groups in your organization needing different levels of access, DAC alone might not be sufficient. You’ll need RBAC or ABAC.
- How sensitive is the information or resource being accessed? If you handle highly sensitive data, MAC is great for strict access but it’s not as flexible as ABAC which gives you granular and real time access control.
- How big is your organization? Small companies can manage with DAC. However, larger organizations, like enterprises, usually need an access control method like RBAC or ABAC that can be centrally managed.
Often, one type of access control won’t meet all your security needs. Sometimes you need a hybrid solution that combines two or more types. For example, RBAC for general access control and ABAC for more fine-grained control over sensitive data.
How to implement access control
To implement access control, there are a few steps you need to take:
- Assess your needs: Start by understanding what you need to protect and why. Identify the sensitive areas or data within your organization. Determine who needs access to these resources and at what level.
- Install and configure an identity and access management system: If you don’t have one already, install and configure an identity and access management system (IAM). This is where the policies will be defined, resources classified and users assigned permissions. Choose an IAM system that supports the access control type you’re implementing, is easy to use, within your budget, and has great customer support in case you need help.
- Develop a policy: Create a comprehensive access control policy that outlines how access will be managed. This should include which users, groups, and roles will have access, which apps, systems, or files the policy will apply to, and under what conditions. Make sure all your policies align with any regulatory compliance requirements relevant to the organization.
- Monitor and review: Set plans in place to regularly monitor and review access to make sure the right people have the appropriate level of access and no one has access they no longer need.
What problems does access control not solve?
Access control doesn’t solve:
- Insider threats beyond access abuse: Access control mainly prevents unauthorized access, but won't stop an authorized user from misusing their access or stealing data. You'll need other controls like auditing and monitoring to address insider threats.
- Human error: Mistakes made by users or administrators, such as setting incorrect permissions, are not directly addressed by access control systems.
- Non-access related security threats: Access Control doesn't address external cybersecurity threats like hacking, viruses, malware, or phishing attacks that don’t involve direct access control breaches. It also doesn't prevent data loss or leakage due to other causes, such as accidental deletion, data corruption, or transmission over unsecured channels.
Next steps
Access control starts with authentication. One of the main ways organizations control access is by centralizing authentication through SSO. It provides a single point of control for access and makes it easier for admins to manage and monitor employees' access across different apps.
If you're targeting these organizations as potential customers, you must support SSO. You'll need to integrate your application with their Identity Providers (IdPs) and allow them to manage their employee’s access to your app through their existing SSO process.
The easiest and fastest way to implement SSO is through a platform like WorkOS, which lets you connect all the major IdPs your customers use via a single API-based integration.
- Get started fast: With SDKs in every popular language, and Slack-based support, you can implement SSO in minutes rather than weeks.
- Support every protocol: With OAuth 2.0 integrations of popular providers like Google and Microsoft, compatibility with every major IdP, and full support for custom SAML or OIDC connections, WorkOS can support any enterprise customer out of the box.
- Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
- Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they bring 10 or 10,000 SSO users to your app.
Once you have authentication in place, the next step is authorization.
WorkOS Fine-grained authorization (FGA) is a centralized, flexible, fast, and scalable authorization service. You can use FGA to implement a custom authorization model tailor-made for your application(s), with the ability to integrate elements of role-based access control (RBAC), relationship-based access control (ReBAC), and attribute-based access control (ABAC) as needed.
If you are ready for a highly scalable, centralized fine-grained authorization service built for enterprise applications, sign up today and start making authorization checks with WorkOS.