Domain 5 Β· Lesson 3 of 5
Access Control Models (DAC, MAC, RBAC, ABAC)
MΓ΄ hΓ¬nh Kiα»m soΓ‘t Truy cαΊp
Four Access Control Models
| Model | Who Controls | How | Flexibility | TS Example |
|---|---|---|---|---|
| DAC Discretionary |
Object owner | ACLs; owner grants/revokes permissions | High | Linux file permissions |
| MAC Mandatory |
System enforces labels | Classification labels (Top Secret, Secret, Confidential) | Low | Government classified systems; Bell-LaPadula |
| RBAC Role-Based |
Admin assigns roles | Permissions assigned to roles; roles assigned to users | Medium | Platform C admin portal module-scoped permissions |
| ABAC Attribute-Based |
Policy engine | Attributes of user + resource + environment | Very High | Platform C per-lender: tenant_id of token must match resource tenant_id |
DAC β Discretionary
The owner of an object controls access. Flexible but hard to enforce organization-wide policy β one careless owner can expose sensitive data. Classic example: Linux/Windows file ACLs.
Risk: subject to Trojan horse attacks β malicious program runs as user, inherits their DAC permissions.
MAC β Mandatory
The system enforces classification labels. Users cannot override. Most restrictive model. Bell-LaPadula: "no read up, no write down" (confidentiality). Biba: "no write up, no read down" (integrity).
Used in: government, military, high-security environments requiring strict compartmentalization.
RBAC β Role-Based
Roles bundle permissions. Users are assigned roles, not individual permissions. Most common enterprise model. Easier to manage at scale than DAC. Example: loan_officer role can view applications but not approve.
Risk: privilege creep β users accumulate roles over time without deprovisioning old ones.
ABAC β Attribute-Based
Policy engine evaluates attributes of user, resource, and environment. Most flexible β can express rules like: "allow if user.tenant_id == resource.tenant_id AND time_of_day == business_hours AND device.compliant == true."
Foundation of Zero Trust access control models.
Rule-Based Access Control (RuBAC)
Often confused with RBAC. Key differences:
| Feature | RBAC (Role-Based) | RuBAC (Rule-Based) |
|---|---|---|
| Control mechanism | User's assigned ROLE determines access | System-level RULES determine access (ACLs, firewall rules) |
| Who sets it | Administrator assigns roles to users | System/administrator defines global rules |
| Dynamic? | Static (role assignment) | Can be time-based, location-based |
| Example | User in "loan_officer" role can view applications | Firewall ACL: "Block all traffic from 10.0.0.0/8 to port 22" |
| CISSP context | Enterprise IAM systems | Firewall rules, router ACLs, content filtering |
Exam trap: "Rule-Based" and "Role-Based" are DIFFERENT models. Rule-Based uses system-defined rules (like firewall ACLs). Role-Based uses user roles. A firewall that blocks traffic based on IP/port rules is Rule-Based access control, NOT Role-Based.
Privilege Creep & Access Recertification
Privilege Creep
Users accumulate permissions over time β role changes, temporary access, project-based access β without old permissions being removed. Over months/years, a user ends up with far more access than their current role requires.
Example: Engineer moves from Platform C team to Platform A team β still has production DB access to Platform C's database. No one noticed. This is privilege creep.
Access Recertification
Managers periodically review and confirm their team members still need their current access. Quarterly for privileged access, annually for standard access.
- β’ Manager sees list of what each person can access
- β’ Manager certifies: "yes still needed" or "revoke"
- β’ Uncertified access is auto-revoked
- β’ Evidence stored for audit trail
ACL vs Capability List
Access Control List (ACL)
Attached to the object β lists which subjects can access it and with what permissions.
Example: File "loan_data.csv" has ACL: [alice: read, bob: read+write, carol: none]
Capability List
Attached to the subject β lists which objects the subject can access.
Example: User alice's capability list: [loan_data.csv: read, reports/: read+write]
Key Terms
- DAC = OWNER controls access (flexible but hard to enforce at scale β user can accidentally expose data).
- MAC = SYSTEM enforces classification labels (most restrictive β users cannot override).
- RBAC = most common enterprise model (roles define permissions β easier to manage than individual ACLs).
- ABAC = most flexible (attribute policies β can express complex context-aware rules for Zero Trust).
- Privilege creep = accumulation of excess permissions β detected and remediated via access recertification reviews.
RBAC (Admin Portal): Module-scoped roles β loan_officer: view applications only; credit_analyst: view scores; admin: manage users. No wildcard permissions. Role assignments reviewed quarterly.
ABAC (Per-lender isolation): Partner A service token has tenant_id=mafc. Row-level policy on every DB query: WHERE tenant_id = token.tenant_id. Partner A token cannot see Partner D records even if the query is crafted to request them.
Access recertification: Quarterly manager review of all Platform C admin portal roles. Any engineer who left the team gets deprovisioned within 24 hours of manager review β not waiting for the quarterly cycle for leavers.
Practice Quiz
Q1. In DAC vs MAC β which model allows the resource owner to grant access to other users?
βΌ Reveal Answer
Q2. An engineer moves from the Platform C team to the Platform A team but still retains all Platform C production access 6 months later. What security problem is this, and how is it detected?
βΌ Reveal Answer
Q3. RBAC vs ABAC β which is more flexible, and which is more commonly used in enterprises?
βΌ Reveal Answer
Q4. Platform C's per-lender token validation (Partner A token cannot see Partner D data) β which access control model is this?
βΌ Reveal Answer
Q5. An ACL is attached to a file and a capability list is attached to a user. What does each one contain?