Cybersecurityknowledge~6 mins

Access control models (MAC, DAC, ABAC) in Cybersecurity - Full Explanation

Choose your learning style9 modes available

Learn Why Deep Visual Practice Challenge Project Recall Time

Introduction

Imagine you have a valuable collection of items at home. You want to decide who can enter your house and what they can do with your things. Access control models help computers decide who can see or use information, solving the problem of keeping data safe and private.

Explanation

Mandatory Access Control (MAC)

In MAC, the system strictly controls access based on rules set by a central authority. Users cannot change permissions themselves. Access decisions depend on labels assigned to both users and data, like security clearances.

MAC enforces strict, system-wide rules that users cannot override.

Discretionary Access Control (DAC)

DAC lets the owner of the data decide who can access it. Users can grant or revoke permissions to others. This model is flexible but can be less secure because users control access.

DAC gives control to data owners to decide access permissions.

Attribute-Based Access Control (ABAC)

ABAC uses attributes like user role, time of day, or device type to decide access. It evaluates many factors dynamically, allowing fine-grained and flexible control based on context.

ABAC makes access decisions using multiple attributes for flexible control.

Real World Analogy

Think of a building with different ways to control entry. One uses strict security badges that cannot be changed (MAC). Another lets room owners give keys to friends (DAC). A third checks many things like who you are, when you arrive, and what device you use before letting you in (ABAC).

Mandatory Access Control (MAC) → Security badges assigned by building management that cannot be changed by employees

Discretionary Access Control (DAC) → Room owners handing out keys to their friends as they wish

Attribute-Based Access Control (ABAC) → Building security checking identity, time, and device before granting access

Diagram

┌─────────────────────────────┐
│       Access Control         │
├─────────────┬───────────────┤
│    MAC      │      DAC      │
│  (System)   │   (Owner)     │
│  Strict     │  Flexible     │
├─────────────┴───────────────┤
│            ABAC             │
│  (Attribute-based, dynamic) │
└─────────────────────────────┘

Diagram showing three access control models: MAC with system control, DAC with owner control, and ABAC using attributes.

Key Facts

Mandatory Access Control (MAC) → Access is controlled by system-enforced policies that users cannot change.

Discretionary Access Control (DAC) → Data owners decide who can access their resources.

Attribute-Based Access Control (ABAC) → Access decisions are based on evaluating multiple user and environment attributes.

Access Control → The process of deciding who can use or see resources in a system.

Common Confusions

Believing DAC is always less secure than MAC.

Believing DAC is always less secure than MAC. While DAC is more flexible, security depends on how permissions are managed; MAC is stricter but not always better for every situation.

Thinking ABAC is just a more complex DAC.

Thinking ABAC is just a more complex DAC. ABAC uses multiple attributes dynamically, not just owner decisions, allowing more context-aware control.

Summary

Access control models help decide who can access data and what they can do with it.

MAC uses strict system rules, DAC lets owners control access, and ABAC uses many attributes for flexible decisions.

Choosing the right model depends on the security needs and flexibility required.