Access Control Types

Authentication and Authorisation can take the form of three different logical access control types, known as mandatory, discretionary and role-based access control. Software can use one or more different access control types to secure itself and its assets depending on the context (Joint Task Force, 2020).

• Mandatory (MAC): Access is restricted by the software product, system or service to a handful of privileged administrators only. Access is granted to objects on a by-person and as-needed basis and is considered the most secure, but least convenient, of the three types. Examples include zero trust.
• Discretionary (DAC): Access is granted by the owner or creator of an object. It’s considered the least secure, but most convenient. Examples include documents that can be shared by the owner, who can decide whether the people its been shared with can view, edit or even delete the document.
• Role-Based (RBAC): Access is determined and granted by a user’s role in an organisation. It’s considered a good compromise between mandatory or discretionary access that allows some convenience in assigning access while keeping things secure. As users change roles, their access will automatically change with it, which helps manage privilege creep over time.

Approach

When considering the different control types, testers will evaluate whether the types implemented are suitable for the context to which they are being used. For example, consideration is given to whether they are potentially too restrictive, too inconvenient or the wrong type altogether. It’s not just security that must be considered, but usability, operability and organisational business goals.

Citations

• Joint Task Force (2020) Security and Privacy Controls for Information Systems and organizations. NIST Computer Security and Resource Center. Available at: Link (pp. 25–28)