CompTIA Security+ Access Control Models (EXAMCRAM CompTIA Security+ SY0-501 Fifth Edition by Diane Barrett/Marty M. Weiss)
Mandatory access control (MAC)-The most basic form of access control involves assigning labels to resources and accounts (ex. SENSITIVE, SECRET and PUBLIC). Also referred to as multilevel access control.
Discretionary access control (DAC)- A slightly more complex system of access control involves restricting access for each resource in a discretionary manner. DAC scenarios allow individual resources to be individually made available or secure from access. Access rights are configured at the discretion of the accounts that have the authority over each resource, including the capability to extend administrative rights through the same mechanism. In DAC, a security principal (account) has complete control over the objects that it creates or otherwise owns, unless this is restricted through group or role membership. The owner assigns security levels based on objects and subjects and can make his or her own data available to others as desired. A common scenario for DAC is online social network users choosing who can access their data.
Attribute-based access control (ABAC)-is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among divers organizations. ABAC is based on the Extensible Access Control Markup Language (XACML). The reference architecture is similar to the core components of AAA. The ABAC authorization process is determined by evaluating rules and policies against attributes associated with a entity, such as the subject, object, operation, or environment condition. Attributes are characteristics that define specific aspects of the entity. When an access request is made, the access decision is based on the evaluation of attributes and access control rules by the attribute-based access control mechanism. ABAC is well suited for large and federated enterprises, making it more complicated and costly to implement and maintain than simple access control models.
Rule-based access control (RBAC)-Rule-based access control dynamically assigns roles to users based on criteria that the data custodian or system administrator defines. Rule-based access control includes controls such as the time of day, the day of the week, specific terminal access, and GPS coordinates of the requester, along with other factors that might overlay a legitimate account's access request. Implementation of rule-based access control might require that rules be programmed using code instead of allowing traditional access control by checking a box.
Role-based access control (RBAC)-Access rights are first assigned to roles. Then accounts are associated with these roles, without the direct assignment of resource access rights. This solution provides the greatest level of scalability within large enterprise scenarios, where explicitly granting rights to each individual account could rapidly overwhelm administrative staff and increase the potential for accidentally granting unauthorized permissions.