The 5 access control models: benefits + which to choose

Access control models are essential tools that help organizations manage who can access specific resources. From Discretionary to Mandatory, Role-Based, Attribute-Based, and Relationship-Based Access Control, each model uses unique methods to determine access. 

Some models provide flexibility and user-driven control, while others enforce strict access based on predefined rules. 

In this article, we'll break down each access control model, explore the benefits and use cases, and look at factors to weigh when choosing one for your organization. 

Overview of access control models

There are 5 main access control models: 

• Discretionary Access Control (DAC): Grants users full control over resources they have created themselves. Users can specify which other users can access their resources. DAC is good for collaboration but not ideal for highly sensitive data.
• Mandatory Access Control (MAC): Users and resources are assigned security labels (e.g., top secret or confidential), and MAC strictly regulates access based on these labels Access is centrally controlled, and users or data owners are not allowed to change access policies. MAC works well for government and military organizations with classified data.
• Role-Based Access Control (RBAC): Assigns access by grouping permissions into roles and then assigning those roles to users. It’s particularly useful in large organizations and IT environments.
• Attribute-Based Access Control (ABAC): Uses attributes like user department, geographic location, or access request purpose to control access. Policies define which attributes grant access. ABAC provides very granular access control and works well for highly sensitive data.
• Relationship-Based Access Control (ReBAC): Considers relationships between users, resources, and the environment. Access policies define relationship rules, so access can change as relationships evolve. ReBAC works best in social networks and other highly connected data environments.

Discretionary Access Control (DAC)

Discretionary access control (DAC) grants users full control over resources they own or create. The owner can give access to other users or revoke access as needed. Users can also pass on access to other users at their discretion as well. 

The main benefits of DAC are:

• Flexibility and ease of use: The main benefit of DAC is flexibility. Owners have full control and can make access decisions based on their own needs without requiring central administration. This makes DAC particularly useful in environments where users collaborate and share data frequently.‍
• Simplicity: DAC models are generally simple to understand and implement. Users familiar with their own needs can control who accesses their data directly, reducing the need for complex policies or administration overhead.

DAC is commonly used in:

• Small businesses: DAC is commonly used in small organizations or for personal resources like files, emails, and calendars. It gives owners autonomy while still providing a basic level of access control.
• Collaborative environments: In environments where collaboration on projects and documents is common, DAC allows users to easily set up and modify access as the team members or project needs change.

While DAC offers convenience, it lacks consistency and oversight. Access decisions are distributed and not based on business roles or policies. This means that sensitive data could be shared openly, creating security risks.

DAC may suit small teams, but most enterprises need robust access control to manage access properly at scale.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a more stringent type of access control model than DAC.

In MAC models, access to objects is limited based on the classification of the subject and the object. For instance, a document classified as 'Confidential' can only be accessed by users who are cleared for that ‘Confidential’ document.

Unlike DAC, where resource owners have discretion over who accesses their resources, in MAC, users and data owners cannot change the access policies, which are administered centrally.

The main benefits of MAC are:

• Enhanced security: MAC provides a higher level of security by strictly enforcing access policies that cannot be altered by regular users. It also supports the principle of least privilege by only allowing absolutely necessary access. This reduces the risk of data leakage or unauthorized access that can occur due to user error or discretionary permissions.
• Consistency in access control: Since policies are centrally managed and uniformly enforced across the organization, MAC ensures a consistent security posture, which is crucial in high-security environments like government and military operations.

MAC is commonly used in:

• Government and military facilities: These facilities process highly classified data and often require stringent access controls that MAC provides.‍
• High-security commercial applications: Particularly relevant in sectors like healthcare and financial services, MAC supports strict access controls needed to meet regulatory standards.‍
• Secure data centers: Ideal for managing sensitive or critical data.

While MAC provides strong security, it can be complex to implement and manage. It requires classifying all subjects and objects in the system, which can be difficult in large networks. MAC is also not very flexible, as access control decisions are predefined. 

Role-Based Access Control (RBAC)

Role-Based Access Control or RBAC is an access control method that grants users access based on their organizational role. It’s based on the idea that users have a role in an organization (for example, manager, engineer, administrator, etc.) and each role has a defined set of permissions attached to it. 

Users are assigned to roles based on their responsibilities, and through those roles, they gain access to resources.

The main benefits of RBAC are:

• Improved security: Users receive just enough permissions to do their job. This limits the possibility of permission abuse, either accidentally or intentionally.
• Easier administration: Admins can group permissions into roles instead of assigning and managing individual permissions. This simplifies managing access, especially for large numbers of users.
• Flexibility: Roles can be easily modified as job functions change. New roles can also be created as needed or as the organization grows.

RBAC is commonly used in:

• Corporate environments: In businesses with distinct functional areas such as HR, sales, and IT, RBAC helps manage user permissions according to their specific job functions within the company.
• Web applications: Where users have different permission levels based on their account type (e.g., admin, moderator, user), RBAC allows easy management of those permissions.

When implementing RBAC, carefully define roles and their associated permissions. Poorly designed roles can lead to either excessive privilege (over-permission) or insufficient access (under-permission). 

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) is an access control model that evaluates access on policies that combine attributes together. Attributes are characteristics that can be assigned to users, resources, or the environment.

Unlike Role-Based Access Control (RBAC), which grants permissions based on predefined roles, ABAC uses a more dynamic approach where permissions are determined by evaluating rules against the presented attributes.

The main benefits of ABAC are:

• Flexibility: ABAC policies can easily adapt to changes since access decisions are based on attributes. New attributes can be added without restructuring the entire access control policy.
• Fine-grained access control: ABAC provides highly granular control over access permissions, allowing for more detailed and context-specific policies than RBAC. This granularity enables organizations to enforce complex security requirements with greater precision.
• Context-aware security: ABAC evaluates many attributes to make access decisions, including attributes related to the context, such as the time and location. This allows ABAC policies to be very context-aware and dynamic.

ABAC is commonly used in environments where flexibility, scalability, and context-awareness are important, such as:

• Cloud applications: In multi-tenant cloud environments, ABAC can dynamically control which users can access which resources based on attributes such as subscription level, tenant identity, or resource sensitivity.
• Healthcare: ABAC can enforce complex compliance requirements by controlling access based on attributes like the user's role, the data's sensitivity, and the patient’s consent.
• Smart spaces: Access to resources in smart spaces like smart offices depends on many contextual attributes (like time, user credentials, etc.). ABAC can make context-aware access decisions in these environments.

Note that ABAC systems can become complex due to the multitude of attributes and rules that need to be managed. Developing and maintaining these policies requires careful planning.

Relationship-Based Access Control (ReBAC)

Relationship-Based Access Control (ReBAC) evaluates access based on the relationships between the user requesting access and the resource they want to access. This approach extends the idea of ABAC by focusing not just on the attributes of the entities involved, but also on the nature and context of their relationships.

The main benefits of ReBAC are:

• Contextual awareness: ReBAC allows systems to make access decisions based on the depth and context of relationships between entities. This can include factors like the duration of a relationship, the nature of interactions, or mutual connections.
• Dynamic permission management: In environments where relationships can change frequently, ReBAC offers a flexible way to dynamically adjust permissions without the need for constant policy updates.

ReBAC works well for:

• Collaborative projects: Team members would have access to relevant project resources based on their roles in the team, such as members, project leaders, or department heads.
• Social networks: ReBAC can manage who can see, share, or comment on content based on the relationship between users, such as friends, family, colleagues, or public versus private connections.
• Education: Access to academic records or research data can be controlled based on relationships like student-advisor, teacher-student, or among academic peers.

Compared to other access control models, ReBAC is more flexible and suitable for dynamic environments where relationships change frequently. However, it can be complex to implement and manage as organizations scale. 

For most organizations, ReBAC works best when combined with an RBAC model. RBAC ensures the right level of access based on job functions, while ReBAC facilitates collaboration and sharing among related users. Together, they provide robust access governance.

Comparing access control models

Here is a comparison of the 5 types of access control models.

Factors to consider when choosing an access control model

When determining the right access control model for your organization, there are several factors to keep in mind:

• Granularity of access: Do you need broad access control across the organization or granular controls over specific resources? If fine-grained control is important, ABAC or ReBAC may suit your needs better than the broader RBAC or DAC models. These models provide more flexibility in assigning access based on attributes and relationships.
• Static vs. dynamic access: How frequently do you anticipate access needs changing? If access is relatively static, a model like RBAC might be sufficient. However, if access needs are dynamic and change often based on attributes or relationships, a model like ABAC or ReBAC is probably a better fit. They are designed to handle frequent access changes.
• Risk and compliance: Consider your organization's risk tolerance and compliance requirements. More restrictive models like MAC are well suited for high-risk, highly regulated environments. In lower-risk settings with fewer compliance demands, a more flexible model like RBAC might be enough.
• Maintenance and scalability: Consider how the access control model will scale with the growth of the organization and what kind of maintenance will be required. A system that is easy to maintain reduces the administrative burden and lowers the risk of errors or security lapses. You also want to pick a model that can handle an increasing number of users, roles, and permissions without performance taking a hit.
• Cost of implementation: The cost of implementing and maintaining each access control model can vary significantly. More complex systems like ABAC and ReBAC may require more substantial initial investments compared to simpler systems like DAC.

How to choose the right access control model

To choose a model:

• Evaluate how sensitive your data and resources are. More sensitive data needs stricter controls like MAC or ABAC.
• Determine how access needs to be restricted. Consider which attributes (ABAC), labels (MAC), or roles (RBAC) map to your access requirements.
• Think about how users and resources relate. If relationships are a key part of your access policy, ReBAC may suit. If not, DAC, RBAC, or ABAC are good options.
• Consider your organization’s culture and policies. Some models, like RBAC and ABAC, give more administrative control, while DAC provides more user control. Choose a model that fits your governance approach.
• Determine how much flexibility and granularity you need. DAC and RBAC provide more broad-level control, while ABAC and ReBAC allow very granular, flexible policies.
• Think about implementation and management overhead. Simpler models like RBAC are often easier to set up and maintain than more complex models like ABAC or ReBAC.

The right choice depends on balancing security, usability, and your specific use case. Think about how people access resources and what level of access different groups need. An ideal model enforces the necessary security controls without too much complexity. 

Next steps

Access control starts with authentication. One of the main ways organizations control access is by centralizing authentication through SSO. It provides a single point of control for access and makes it easier for admins to manage and monitor employees' access across different apps.

If you're targeting these organizations as potential customers, you must support SSO. You'll need to integrate your application with their Identity Providers (IdPs) and allow them to manage their employee’s access to your app through their existing SSO process.

The easiest and fastest way to implement SSO is through a platform like WorkOS, which lets you connect all the major IdPs your customers use via a single API-based integration.

• Get started fast: With SDKs in every popular language, and Slack-based support, you can implement SSO in minutes rather than weeks.
• Support every protocol: With OAuth 2.0 integrations of popular providers like Google and Microsoft, compatibility with every major IdP, and full support for custom SAML or OIDC connections, WorkOS can support any enterprise customer out of the box.
• Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
• Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they bring 10 or 10,000 SSO users to your app.

Once you have authentication in place, the next step is authorization.

WorkOS Fine-grained authorization (FGA) is a centralized, flexible, fast, and scalable authorization service. You can use FGA to implement a custom authorization model tailor-made for your application(s), with the ability to integrate elements of role-based access control (RBAC), relationship-based access control (ReBAC), and attribute-based access control (ABAC) as needed.

If you are ready for a highly scalable, centralized fine-grained authorization service built for enterprise applications, sign up today and start making authorization checks with WorkOS.