Comparing Access Control: RBAC, MAC, DAC, RuBAC, ABAC

Image showing a person using a transparent touch-panel that contains several options including access control. The panel is made up of a honeycombe containing icons including an open red padlock the person is touching. The words 'access control' are overlaid on the image.
If only waving your fingers around did something.

Access control is a fundamental security technique all administrators must know. Briefly, it enables your company to regulate data access and use in an IT environment. Implementing businesswide secure access control (SAC) involves a lot of planning, though. That’s necessary above all because, when done correctly, access control is one of the best ways to protect your business. In addition, this includes data and the systems from data breaches or exploitation. 

Access control leverages security measures like authentication and authorization to verify users. In short, it ensures appropriate access based on permissions is provided to users. It also minimizes security risks by enabling data, information, and resource security. For your business needs, you can choose from any of the following methods:

  • Mandatory Access Control (MAC)
  • Role-based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Rule-based Access Control (RuBAC)
  • Attribute-based Access Control (ABAC)

In this article, I’ll go through the main 5 methods, their benefits, comparison, and how to use them. First, though, let’s have a closer look at what these controls are. 

Types of Access Control

Access control is one of the easiest and most effective ways to meet your security needs. Yet, not all techniques work the same way. In this section, I’ll go through the 5 main types of access control you’ll run into.

1. Mandatory Access Control (MAC)

Above all others, MAC is the most strictly enforced control method. All the access control settings and configurations are only accessible by the administrator. You can’t change anything without their permission. 

In other words, the designated system administrator defines MAC governance. This includes the specific roles and permissions needed by each user. The OS or organization’s security kernel layer is where MAC operates from. In effect, this means assigned accesses are unalterable by end-users. To that end, users can only access data their security labels entitle them to.

For instance, if you have 100 users in your business, you’ll have to configure 100 different roles and permissions in the system to use MAC. Above all others, it’s one of the most robust access control techniques due to its simplicity. Similarly, it’s also the most inflexible method as every change needs to occur at a granular level. 

MAC systems are often used in SMEs or specific silos within a larger business that requires high-security levels. If you’re looking for a compromise in functionality and usability then RBAC may be for you. 

2. Role-Based Access Control (RBAC) 

Role-based access control (RBAC) is becoming one of the most widely adopted control methods. For some, RBAC allows you to group individuals together and assign permissions for specific roles. If you decide to use RBAC, you can also add roles into groups or directly to users.

RBAC makes assessing and managing permissions and roles easy. In addition, it also provides you with better operational efficiency than MAC. Above all, it makes it easier for businesses to meet regulatory compliance. For most, RBAC is well known to reduce the operational overheads for managing a business. It utilizes the principle of least privileges and reduces administration costs. In effect, once you set it up, you can scale any groups without altering any permissions. 

If you’re looking for access control that allows you to restrict or allow access on object-level irrespective of roles, DAC could be the right fit.

 Image showcasing a person gaining access through biometric scanning.
Access control via Biometrics.

3. Discretionary Access Control (DAC)

Discretionary access control (DAC) is another type of security access control technique. It allows you to grant or restrict object access, where object in this context means data entity

Policies define an object owner, and many owners can exist within the business. Unlike RBAC, for instance, which uses group-level permissions, DAC uses object-level permissions. DACs are discretionary because the object owners can transfer, change, or extend each object. In essence, this gives you the power to quickly scale a business. 

DAC provides granular access control that suits businesses having dynamic security needs. Firstly, DAC allows you to change or transfer ownership of an object from one user to another. Secondly, the object access in DAC uses an access control list (ACL) authorization. This is built on user identification and/or group membership. To this end, DAC offers several advantages: 

  • minimal administrative obligations. 
  • great customization. 
  • simple role management. 
  • reduced costs. 

That said, DAC is also prone to inherent vulnerabilities such as trojan horse and involves overhead of ACL maintenance.  

Image of multiple types of manual, electronic and biometric door locks.
Access controls differ in their ability to protect your system.

4. Rule-Based Access Control (RuBAC)

RuBAC allows you to manage access to resources or data such as files, devices, or even databases. It’s based on a predefined set of rules or access permissions. This is regardless of the role of individuals accessing the files. 

In RuBAC, a system administrator creates and controls the rules that determine the usage and access of business resources. For instance, an admin can set a timeframe for the data to be accessed. This prevents anyone from accessing organizational data outside office hours. In this type of access control, rules supersede the access and permissions. 

RuBAC rules exist throughout the business and use a control mechanism. This checks each user’s details against the company’s rules. Often RuBAC is useful for controlling access to confidential resources. The rule-based approach also provides flexibility when making changes across your entire business. This means it enables you to change something without impacting users or groups. Yet, this approach needs another level of maintenance and constant monitoring

To define more specific controls, your business can use attribute-based access control systems.

5. Attribute-Based Access Control (ABAC) 

Attribute-based access control (ABAC) is another type of access control. ABAC’s authorization model evaluates attributes instead of roles or users. It provides you with a more fine-grain approach over access controls. 

ABAC allows you to use user attributes such as username, role, and security clearance. Additionally, you can use environmental attributes such as time of access and location of data. Resource attributes such as resource owner, creation date give ABAC more utility. 

ABAC has several more controlling variables than any of the other control methods. This makes it useful in larger businesses with complex hierarchical structures. One of the major advantages of using ABAC is not needing to change existing rules to accommodate new users. That said, recovering the system from a bad ABAC implementation can be difficult and time-consuming.

Attribute/ Access Control TypeDACMACRBACABACRule-Based
Ease of Usage orConvenienceHighVariesHighHighHigh
PerformanceLowVaries with Security LevelsHighHighHigh
Single Point FailureAuthorization failureLessLessAuthorization failure
Authentication FailurelessvariesBased on rolelessless
Select the best access control for your business.

Adding Access Control to Your Cyber Security Measures

To better protect data and improve security, adding effective access control policies is crucial. Regardless of what type of control you’re going to use, it all starts with well-defined policies. They must address every employee, role, application, and database within the business. 

Companies should also consider using centralized authorization systems such as active directory. This gives you better control over access and permissions across platforms. Adhering to the principle of least privilege reduces your risk of cyberattacks. This is because everyone in the business will have only the access they need. 

To ensure clear accountability and security audit compliance each user must have their own account. This avoids using shared accounts as much as possible and associated security risks.

Final Thoughts

Access control is the most commonly used security measures you can use to prevent unauthorized access to company data. You can use any of the 5 types of access control in your business. In general, if you operate a large business that focuses on data reliability and security use ABAC, RBAC, or MAC. Alternatively, if you operate a small business, you should use DAC or MAC for easier implementation. Finally, if your business deals with confidential data use multi-level security. In short, stack RuBAC on top of RBAC to get the multi-level security your business needs.  

Get The Latest TechGenix News Here


What’s an Access Control List (ACL)?

In computer security, an access-control list (ACL) is a list of rules and permissions for managing authorization. This means ACL specifies which users are allowed to access specific system resources or platforms. In addition, ACL helps administrators monitor user access in many businesses. 

What’s a trojan horse and are any access controls susceptible to them?

A trojan is a type of malware that downloads onto a computer disguised as a genuine piece of software. In general, Discretionary access control (DAC) is less effective than other methods. This is due to the hosting method used which makes it vulnerable to attack.

What’s a kernel and how do you protect your system at this level?

A kernel is the heart or core of any operating system. Since the OS controls the system it runs on, the kernel has complete control over everything. Mandatory Access Control (MAC) is one of the most secure and strict controls. This is because it assigns permissions at the Kernel level. 

What’s a security profile?

A security profile is a common way of grouping the permissions and accesses to a particular role within an organization. Using a security profile comes in very handy for both Mandatory Access Control (MAC) as well as Role-based Access Control (RBAC). MAC and RBAC allow IT admins to divide users based on their security profiles.

What’s multilevel security?

Multilevel security is an IT security policy that enables businesses to use a hierarchical system of security. In essence, systems using this have strict security policies that are difficult to break. This allows businesses to add more than one access control method for reliability and security. 

Additional Resources

TechGenix’s Website 

Read the latest news about technology from TechGenix’s Tech News here.

TechGenix’s Security Section

Access more information about IT Security here.

TechGenix’s Newsletter

Sign up for the TechGenix newsletter and the latest tech and cybersecurity news right here

TechGenix: Vulnerabilities Article

Read our vulnerabilities article for more information on the latest cybersecurity risks here

TechGenix’s Access Control Types and their implementation Article

Access more information about DAC, RBAC, and MAC along with their implementational details here

TechGenix: Data Security Article

Discover more about how access control is now a core component of modern-day data security, click here

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top