0
0
Cybersecurityknowledge~10 mins

Access control models (MAC, DAC, ABAC) in Cybersecurity - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime
Concept Flow - Access control models (MAC, DAC, ABAC)
User Requests Access
Check Access Control Model
MAC
Access Granted or Denied Based on Model Rules
When a user requests access, the system checks which model applies (MAC, DAC, or ABAC) and then decides access based on rules, ownership, or attributes.
Execution Sample
Cybersecurity
User requests file access
System checks MAC labels
System checks DAC ownership
System checks ABAC attributes
System grants or denies access
This sequence shows how a system processes an access request using MAC, DAC, and ABAC models.
Analysis Table
StepAccess Control ModelCheck PerformedConditionAccess Decision
1MACCheck user and object security labelsUser label >= Object labelAccess Granted
2MACCheck user and object security labelsUser label < Object labelAccess Denied
3DACCheck if user is owner or has permissionUser is owner or permission grantedAccess Granted
4DACCheck if user is owner or has permissionUser is not owner and no permissionAccess Denied
5ABACEvaluate user, resource, environment attributesAttributes satisfy policy rulesAccess Granted
6ABACEvaluate user, resource, environment attributesAttributes do not satisfy policy rulesAccess Denied
💡 Access decision made based on model-specific checks and conditions.
State Tracker
VariableStartAfter Step 1After Step 3After Step 5Final
User LabelLowLowLowLowLow
Object LabelMediumMediumMediumMediumMedium
User OwnershipNoNoYesYesYes
User AttributesRole=UserRole=UserRole=UserRole=AdminRole=Admin
Access DecisionNoneDeniedGrantedGrantedGranted
Key Insights - 3 Insights
Why does MAC deny access when user label is lower than object label?
Because MAC enforces strict rules based on security labels; if the user's clearance is lower than the object's classification, access is denied as shown in execution_table step 2.
How does DAC differ in deciding access compared to MAC?
DAC bases access on ownership and permissions set by the owner, not on fixed labels. As seen in steps 3 and 4, if the user owns the resource or has permission, access is granted.
What makes ABAC more flexible than MAC and DAC?
ABAC uses multiple attributes (user role, time, location) to decide access dynamically, allowing complex policies as shown in steps 5 and 6.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does MAC deny access?
AStep 1
BStep 2
CStep 3
DStep 5
💡 Hint
Check the 'Access Decision' column for MAC model steps.
According to variable_tracker, what is the User Ownership after Step 3?
AYes
BUnknown
CNo
DLow
💡 Hint
Look at the 'User Ownership' row under 'After Step 3' column.
If the user attributes change to Role=Guest, how would ABAC's access decision change in execution_table?
ANo change in access decision
BAccess Granted at Step 5
CAccess Denied at Step 6
DAccess Granted at Step 3
💡 Hint
Refer to ABAC steps 5 and 6 where attributes affect access.
Concept Snapshot
Access Control Models:
- MAC: System-enforced, based on security labels.
- DAC: Owner-controlled, based on permissions.
- ABAC: Attribute-based, flexible policies using user/resource/environment attributes.
Access is granted or denied by checking these rules when a user requests access.
Full Transcript
Access control models determine how systems decide if a user can access a resource. Mandatory Access Control (MAC) uses fixed security labels and strict rules, denying access if the user's clearance is lower than the object's classification. Discretionary Access Control (DAC) lets resource owners decide who can access their resources, granting access if the user is the owner or has permission. Attribute-Based Access Control (ABAC) uses multiple attributes like user role, resource type, and environment conditions to make flexible access decisions. When a user requests access, the system checks the relevant model's rules and grants or denies access accordingly.