Managing who gets access to what is central to application security. Access control models provide structured ways to make these decisions, helping organizations strengthen security while keeping administration manageable.

This article aims to clarify the four main access control models—DAC, MAC, RBAC, and ABAC—explaining how they work, their strengths and weaknesses, and when each is appropriate in real systems.

Why Access Control Models Matter

A robust access control strategy helps ensure that even if attackers get in, they can't reach sensitive data.

Imagine managing access in a growing company. You have employees, contractors, partners, and maybe customers — all needing different permissions. Hard-coding who can access each file, API endpoint, or database table doesn't scale.

Access control models provide a systematic framework for answering:

"Who should be able to do what, and under which conditions?"

A good model balances:

  • Security (preventing misuse and leaks)
  • Usability (people can still get work done)
  • Administrative overhead (not drowning in permission changes)

Think of it like house rules:

  • Some houses allow owners to decide who comes in (DAC)
  • Some follow strict rules set from above — no exceptions (MAC)
  • Some hand out keys based on roles (RBAC)
  • Some check multiple conditions before opening the door (ABAC)

Let's look at each model in plain terms.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) allows the owner of a resource to determine who can access it. Every object, such as a file, folder, or database record, has an Access Control List (ACL) that specifies which users or groups are permitted access and their level of access — read, write, or execute.

The key idea: the owner decides.

On a personal computer, you create a file and specify who can read or edit it. The file's permissions determine whether other users can view, modify, or execute it.

A similar concept exists in Google Docs. When you create a document, you choose who can view, comment on, or edit it. You can change or revoke these permissions at any time.

Pros

  • Very flexible and easy to understand
  • Fast collaboration — no central admin required
  • Works well for personal or small-team settings

Cons

  • Difficult to manage at scale
  • Inconsistent permissions across teams
  • Easy to overshare or forget to revoke access
  • Weak central visibility and auditing

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) differs from DAC, as access decisions are managed by a central authority rather than individual users. Both users and data are labeled, and the system rigorously enforces overarching rules.

Users cannot override these rules, even if they own the data.

A classic example of Mandatory Access Control comes from military and government systems. Documents are assigned classification levels such as Unclassified, Confidential, Secret, and Top Secret, while users are granted corresponding security clearances.

If a user has Secret clearance, the system will not allow them to access Top Secret documents — even if the document owner wants to share it. Access decisions are enforced automatically based on predefined policies.

One well-known MAC rule is "no read up, no write down," which prevents users from reading data above their clearance level or writing sensitive data to lower levels.

Pros

  • Powerful security guarantees
  • Consistent, enforceable global policy
  • Prevents insider leaks by design
  • Easier to demonstrate compliance

Cons

  • Very rigid and inflexible
  • Slows collaboration
  • High administrative overhead
  • Frustrating in fast-paced environments

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) grants permissions to roles rather than to individual users. Users receive permissions through their role assignments.

In a typical company system, access is granted based on job roles rather than individual users. Typical roles include Employee, Manager, and HR Admin, each with predefined permissions.

For example, Managers may be allowed to approve expenses, while HR Admins can access salary information. Regular Employees might only be able to view their own data.

When someone is promoted — for instance, when Jane becomes a Manager — her role assignment is updated. As a result, she automatically receives all permissions associated with the Manager role, without requiring changes to individual access rules.

Pros

  • Easy to understand and manage
  • Scales well with organization size
  • Simplifies onboarding and offboarding
  • Aligns well with least privilege principles
  • Widely supported and well understood

Cons

  • Can lead to "role explosion" in large orgs
  • Limited support for context (time, location, device)
  • Too coarse or too granular roles reduce effectiveness

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) determines access through attributes and policies. Rather than relying on fixed roles, it evaluates characteristics of:

  • the user (department, clearance, location)
  • the resource (classification, owner, tags)
  • the context (time, device, network)

Consider a policy that controls access based on multiple conditions rather than a single role. For example, a system might allow HR department Managers to access HR-Confidential documents during business hours, only when connected to the corporate network.

When an access request is made, the system evaluates several attributes at runtime: the user's department and role, the document's classification, and the current context, such as time and network location. Access is granted only if all conditions defined in the policy are satisfied.

Pros

  • Extremely flexible and fine-grained
  • Adapts dynamically to changing conditions
  • Ideal for large, complex, or cloud environments
  • Supports Zero Trust architectures well

Cons

  • Complex to design and debug
  • Requires accurate, well-maintained attributes
  • Needs a policy engine and governance
  • More complicated to explain "why access was denied."

Choosing the Right Model for Your Use Case

There's no one-size-fits-all answer:

  • Small teams or simple apps: DAC or basic RBAC
  • Organizations with clear roles: RBAC
  • Highly sensitive or regulated data: MAC (or partial MAC)
  • Large, dynamic systems: ABAC
  • Most real systems: a hybrid approach

Conclusion

Access control models are more than theoretical ideas — they directly shape the security, usability, and scalability of real-world systems. The way access is designed and enforced affects how easily people can work, how well sensitive data is protected, and how systems evolve.

The main concept is to begin with a simple approach and select an access control model that aligns with your current security requirements, then adapt it as your system expands. Introducing unnecessary complexity prematurely can be as problematic as having insufficient control.