LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between DAC, MAC, RBAC, and ABAC — the four main access-control models?

DAC = owner decides. MAC = central policy decides. RBAC = role decides. ABAC = attributes (any combination) decide.

Model Who decides who gets access? Classic example
DAC (Discretionary Access Control) The resource owner decides UNIX file system: file's owner sets chmod permissions
MAC (Mandatory Access Control) A central authority/policy decides, not the owner Government clearances; employee badges grant zones
RBAC (Role-Based Access Control) Decisions are by role assignments; users get roles, roles get rights Most enterprise IAM systems (AD groups, AWS IAM roles)
ABAC (Attribute-Based Access Control) Decisions evaluated from arbitrary attributes (user, resource, environment) XACML, modern cloud policy engines (e.g. AWS IAM conditions, OPA)

MAC has special subtypes for very high-assurance environments:

  • Multi-level (lattice of clearances): Bell-LaPadula (confidentiality, "no read up, no write down") and Biba (integrity, "no read down, no write up").
  • Clark-Wilson: integrity via well-formed transactions + separation of duty.
  • Multi-lateral / Chinese Wall: prevents conflicts of interest (e.g. a consultant can't access two competing clients' data).

In practice: most real systems are RBAC at the application layer, ABAC for fine-grained policies, DAC at the filesystem layer, and MAC only in defence / classified-info contexts.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026