Types of Access Control: All Models Explained

Access control is the security process of limiting access to restricted areas or information. It can describe physical safety measures such as key cards and door controls, but also covers logical access to information systems. In this article, we will compare different approaches to managing information access and IT privileges, which range from hands-on to automated.

The 4 Most Common Access Control Systems

Mandatory Access Control (MAC)

Under the mandatory access control model (MAC), only the system administrator determines which users can access which resources. Users themselves have no way to change permission levels and cannot bypass these restrictions.

The fact that admins need to grant permissions individually to each user makes mandatory access control impractical for most organization. The time and effort required for these manual adjustments creates a bottleneck for user provisioning and approval processes.

However, mandatory access control is still a popular choice for organizations with high security needs, such as government and military facilities. This is because the model allows them to exercise strict control over who can access information.

Pros and Cons of Mandatory Access Control (MAC):

  • Very security-focused

  • Central oversight

  • Slow & labor-intensive

  • Inflexible

Discretionary Access Control (DAC)

Unlike mandatory access control, which relies on a single individual to determine access levels, discretionary access control (DAC) allows some users to grant permissions for resources they control. This could be a team of admins managing different parts of the IT infrastructure, or even non-IT users with the power to approve access for specific objects.

The main advantage of discretionary access control is its flexibility. DAC allows resource owners to add new users and privileges as needed, without having to wait for central authority to process their request. However, this flexibility can also lead to unintended access or overprivileged users if IT privileges are not closely monitored.

Pros and Cons of Discretionary Access Control (DAC):

  • Simple & flexible

  • Allows for delegation of tasks

  • Approvals are processed quickly

  • Can lead to excess privileges

  • Requires monitoring & supervision

Role-Based Access Control (RBAC)

Unlike mandatory and discretionary access control, role-based access control (RBAC) is an automated approach to managing IT privileges. Users are grouped into roles based on factors such as department and position. The organization then creates permission roles based on the access needs of these different groups. When a new user is added, they automatically receive the intended level of access for their role.

Role-based access control takes advantage of the fact that users with the same business role typically need access to the same resources: The sales department needs access to client data, customer support needs access to open support tickets, etc. RBAC uses these similarities to simplify and automate user provisioning, reducing the need for manual adjustments.

However, even users within the same role might sometimes have different access needs. For example, a member of the design department might be brought in to help with infographics for a marketing brochure. A rigid role-based model can have a hard time dealing with these kinds of exceptions and special cases.

Pros and Cons of Role-Based Access Control:

  • Automated & scalable

  • Less work for admins & IT staff

  • Ensures timely deprovisioning

  • Access roles must be defined before use

  • Can be inflexible in practice

Access control systems are not mutually exclusive, but can be combined for greater effect. For example, tenfold uses role-based access control to automate user lifecycles, but still allows resource owners to approve access requests made through a self-service portal.

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) represents a dynamic approach to managing access. Instead of a predetermined set of permissions, each user is assigned various attributes corresponding to their role in the organization. These attributes are then used to assess whether attempts to access different resources should be allowed or blocked.

ABAC allows organizations to manage access to a highly granular degree. It enables dynamic and risk-based evaluations that play an important role in enabling zero trust security alongside policies for least privilege access.

However, ABAC requires an incredible amount of information to function properly, drawing not only on user attributes, but the context of specific data and specific actions. In essence, every resource on the network must be appropriately labeled to provide enough context for ABAC policies.

Pros and Cons of Attribute-Based Access Control (ABAC)

  • Dynamic & granular access system

  • Enables risk-based assessments

  • Difficult to implement

  • Requires complex, fine-grained policies

  • All users & resources must be labeled

AI and Machine Learning: The Future of Access Control?

Aside from these established access control models, many security solutions have started to advertise new AI features as part of their platform. However, it’s important to differentiate between real use cases – such as machine learning tools that can help you choose which permissions to add to a role – and the runaway hype surrounding the topic of generative AI.

In many cases, the promise of AI-driven access control or identity and access management appears to be nothing more than an empty marketing claim, with little to no practical or technical information to support them. Despite the potential benefits of the technology, it is important to remain skeptical in the current climate of AI hype.

Advances in the AI field can have valuable applications in managing information access. The long-standing use of machine learning algorithms for threat and behavioral analytics is a clear example of how effective these technologies can be. But no degree of automation can eliminate the need for human supervision. Machines can help us enforce the correct level of access, but it is up to us to determine what that level of access should be.

tenfold: The No-Code Approach to Automated Access Control

Which access control model works best for you depends on your security needs and organizational structure. While high-security environments use mandatory access control to protect top-secret information and huge corporations can benefit from complex approaches like attribute-based access control, most organizations fall somewhere in the middle.

In a typical IT environment, you need a way to quickly provide new users with the baseline access they need for their job and a simple process to expand their privileges when necessary. All while keeping track of their access rights and removing any permissions that are no longer needed.

tenfold allows you to do just that, combining role-based, automated provisioning with a self-service platform that lets resource owners approve access requests from end users directly. At the same time, our IAM platform ensures that all privileges are assigned correctly, subjected to regular access reviews and removed when no longer needed.

But here’s the best part: As a no-code IAM solution, tenfold is fully operational in a fraction of the time it would take you to set up a competing product. Thanks to out-of-the-box support for key IT systems and an easy-to-use interface, tenfold helps you achieve secure, automated access control in record time. Sign up for a free trial to see for yourself!


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.