Quiz Entry - updated: 2026.07.14
What's the difference between DAC, MAC, RBAC, and ABAC — the four main access-control models?
DAC = owner decides. MAC = central policy decides. RBAC = role decides. ABAC = attributes (any combination) decide.
| Model | Who decides who gets access? | Classic example |
|---|---|---|
| DAC (Discretionary Access Control) | The resource owner decides | UNIX file system: file's owner sets chmod permissions |
| MAC (Mandatory Access Control) | A central authority/policy decides, not the owner | Government clearances; employee badges grant zones |
| RBAC (Role-Based Access Control) | Decisions are by role assignments; users get roles, roles get rights | Most enterprise IAM systems (AD groups, AWS IAM roles) |
| ABAC (Attribute-Based Access Control) | Decisions evaluated from arbitrary attributes (user, resource, environment) | XACML, modern cloud policy engines (e.g. AWS IAM conditions, OPA) |
MAC has special subtypes for very high-assurance environments:
- Multi-level (lattice of clearances): Bell-LaPadula (confidentiality, "no read up, no write down") and Biba (integrity, "no read down, no write up").
- Clark-Wilson: integrity via well-formed transactions + separation of duty.
- Multi-lateral / Chinese Wall: prevents conflicts of interest (e.g. a consultant can't access two competing clients' data).
In practice: most real systems are RBAC at the application layer, ABAC for fine-grained policies, DAC at the filesystem layer, and MAC only in defence / classified-info contexts.