Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.6.3. Access Control Models

đź’ˇ First Principle: Access control models define the rules for who can access what. Different models provide different balances between security, flexibility, and administrative overhead. The model you choose determines how granular and how rigid your access control can be.

Loading diagram...

Mandatory Access Control (MAC) — access decisions are made by the system based on security labels (classification levels). Users cannot change permissions. Used in military and government environments. Most restrictive but least flexible.

Discretionary Access Control (DAC) — the resource owner decides who gets access. Standard file system permissions (owner sets read/write/execute). Flexible but vulnerable to user error — owners may grant overly broad permissions.

Role-Based Access Control (RBAC) — permissions are assigned to roles, and users are assigned to roles. An "Accountant" role has access to financial systems; a "Developer" role has access to code repositories. Simplifies administration in large organizations because you manage role assignments rather than individual permissions.

Rule-Based Access Control — access decisions based on predefined rules (time of day, location, device type). Often combined with other models: "RBAC permissions apply, but only from the corporate network during business hours."

Attribute-Based Access Control (ABAC) — the most granular model. Access decisions evaluate multiple attributes of the subject (user role, department, clearance), object (data classification, sensitivity), and environment (time, location, device posture). Policies: "Allow access to financial reports IF user.role=CFO AND data.classification≤Confidential AND time=business_hours AND device.compliance=true."

Time-based access — restricting access to specific time windows. Administrative access might only be available during maintenance windows.

Least privilege — granting only the minimum permissions needed to perform a job function. Applies to all models.

⚠️ Exam Trap: RBAC assigns permissions to roles, not to users directly. ABAC evaluates multiple attributes per access decision. MAC uses labels and is enforced by the system. DAC is enforced by the resource owner. The key distinction: who makes the access decision?

Alvin Varughese
Written byAlvin Varughese
Founder•15 professional certifications