What Are the 4 Types of Access Control?
Introduction
Access control is a fundamental concept in security, governing how individuals gain permission to access physical locations, digital systems, or sensitive information. Whether applied to an office building, a computer network, or confidential records, access control ensures that only authorised users can enter or interact with protected resources.
At the heart of access control are four recognised access control models. These models define how permissions are assigned, enforced, and managed. Each type has its own strengths, limitations, and ideal use cases.
This article provides a detailed explanation of the four types of access control, how they work, where they are used, and how organisations decide which model is most suitable.
What Is an Access Control Model?
An access control model is a structured method for determining:
- Who can access a resource
- What actions they can perform
- Under what conditions access is allowed
Access control models are applied to both physical security (doors, gates, restricted areas) and logical security (files, systems, networks).
The four main types of access control are:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
Overview of the 4 Types of Access Control
| Type | Control Authority | Flexibility | Security Level |
|---|---|---|---|
| Discretionary (DAC) | Resource owner | High | Moderate |
| Mandatory (MAC) | Central authority | Low | Very high |
| Role-Based (RBAC) | Organisation | Medium | High |
| Attribute-Based (ABAC) | System logic | Very high | Very high |
Each model approaches access decisions differently, depending on how much control is given to users versus the system.
1. Discretionary Access Control (DAC)
What Is Discretionary Access Control?
Discretionary Access Control (DAC) is an access model where the owner of a resource decides who can access it. The system allows users to grant or revoke access permissions at their discretion.
In DAC systems, access rights are typically tied to user identities and ownership.
How DAC Works
- A user creates or owns a resource
- That user decides who else can access it
- Permissions can usually be modified or shared
DAC Permission Example
| User | Resource | Permission |
|---|---|---|
| Alice | File A | Read / Write |
| Bob | File A | Read only |
| Charlie | File A | No access |
Where DAC Is Commonly Used
- Personal computers
- Small business networks
- File-sharing environments
- Basic operating systems
Advantages of DAC
- Easy to understand and manage
- Highly flexible
- Minimal administrative overhead
Disadvantages of DAC
- Increased risk of permission misuse
- Difficult to audit in large systems
- Vulnerable to insider threats
Security Considerations
Because users control permissions, DAC systems rely heavily on user awareness and responsibility. Accidental sharing or poor permission management can lead to security breaches.
2. Mandatory Access Control (MAC)
What Is Mandatory Access Control?
Mandatory Access Control (MAC) is the most restrictive access control model. Access decisions are enforced by a central authority, and users cannot change permissions.
In MAC systems, resources and users are assigned security labels, and access is granted only if predefined rules allow it.
How MAC Works
- Each user has a security clearance
- Each resource has a classification level
- Access is granted only if clearance matches classification
MAC Classification Example
| Classification Level | Access Rights |
|---|---|
| Top Secret | Full access |
| Secret | Limited access |
| Confidential | Restricted access |
| Public | Open access |
Where MAC Is Commonly Used
- Government systems
- Military environments
- Highly regulated industries
- Critical infrastructure
Advantages of MAC
- Extremely high security
- Centralised control
- Strong resistance to insider threats
Disadvantages of MAC
- Very rigid
- Difficult to modify permissions
- Requires extensive planning and maintenance
Security Considerations
MAC systems prioritise security over convenience. Even trusted users cannot override system rules, reducing the risk of data leakage or unauthorised access.
3. Role-Based Access Control (RBAC)
What Is Role-Based Access Control?
Role-Based Access Control (RBAC) assigns access permissions based on job roles rather than individual users. Users inherit permissions associated with their role within an organisation.
This model is widely used because it balances security with manageability.
How RBAC Works
- Roles are defined (e.g., Manager, Technician, Administrator)
- Permissions are assigned to roles
- Users are assigned one or more roles
RBAC Role Example
| Role | Typical Permissions |
|---|---|
| Administrator | Full system access |
| Manager | Reporting and approval |
| Employee | Standard operational access |
| Visitor | Limited access |
Where RBAC Is Commonly Used
- Corporate IT systems
- Physical access systems
- Healthcare and education
- Enterprise software platforms
Advantages of RBAC
- Easy to scale
- Simplifies user management
- Supports compliance requirements
Disadvantages of RBAC
- Role definition can become complex
- Risk of “role creep” over time
- Less flexible than attribute-based systems
Security Considerations
RBAC is effective when roles are clearly defined and regularly reviewed. Poor role management can result in excessive permissions being granted.
4. Attribute-Based Access Control (ABAC)
What Is Attribute-Based Access Control?
Attribute-Based Access Control (ABAC) is the most dynamic and flexible access control model. Access decisions are based on attributes rather than fixed roles or ownership.
Attributes can relate to users, resources, actions, or environmental conditions.
How ABAC Works
Access decisions may consider:
- User attributes (department, clearance)
- Resource attributes (data sensitivity)
- Environmental attributes (time, location)
ABAC Decision Example
| Attribute | Value |
|---|---|
| User department | Finance |
| Access time | 09:00–17:00 |
| Location | Office network |
| Resource sensitivity | Medium |
Access is granted only if all conditions are met.
Where ABAC Is Commonly Used
- Large enterprises
- Cloud-based systems
- Complex regulatory environments
- Advanced physical security systems
Advantages of ABAC
- Extremely flexible
- Highly granular control
- Supports complex security policies
Disadvantages of ABAC
- Complex to design and manage
- Requires advanced systems
- Higher implementation cost
Security Considerations
ABAC provides strong security but requires careful planning. Poorly defined attributes can lead to unexpected access decisions.
Comparing the Four Types of Access Control
| Feature | DAC | MAC | RBAC | ABAC |
|---|---|---|---|---|
| User control | High | None | Low | None |
| Centralised management | Low | High | High | Very high |
| Flexibility | High | Low | Medium | Very high |
| Scalability | Low | Medium | High | Very high |
| Security strength | Medium | Very high | High | Very high |
Physical vs Logical Use of the 4 Models
Each model can be applied to physical and digital environments.
Examples
| Model | Physical Example | Logical Example |
|---|---|---|
| DAC | Office keys shared by owner | File permissions |
| MAC | Secure government facility | Classified databases |
| RBAC | Staff ID cards by job role | Business software access |
| ABAC | Time-based door access | Cloud system rules |
Cost Considerations
Access control costs vary depending on the model used.
Indicative Cost Comparison (£)
| Model | Setup Cost (£) | Ongoing Cost (£/year) |
|---|---|---|
| DAC | 500–1,500 | 300 |
| MAC | 5,000–15,000 | 3,000 |
| RBAC | 3,000–8,000 | 1,500 |
| ABAC | 8,000–20,000 | 4,000 |
Figures are indicative and shown in pounds (£).
Choosing the Right Access Control Model
The right model depends on:
- Organisation size
- Security requirements
- Regulatory obligations
- Budget
- Operational complexity
Many organisations use hybrid approaches, combining models to balance security and usability.
Professional access control strategies are often discussed within security-focused environments such as https://williamhale.co.uk/, where tailored solutions are considered based on risk and operational needs.
Common Mistakes When Implementing Access Control
- Granting excessive permissions
- Failing to revoke access promptly
- Ignoring audit logs
- Poor role or attribute design
- Infrequent access reviews
Avoiding these mistakes is just as important as choosing the right model.
Future Trends in Access Control Models
Access control continues to evolve:
| Trend | Impact |
|---|---|
| Cloud-native access control | Increased scalability |
| AI-driven policies | Smarter access decisions |
| Behaviour-based attributes | Continuous authentication |
| Zero Trust models | No implicit trust |
These developments often rely heavily on ABAC principles.
Conclusion
The four types of access control — DAC, MAC, RBAC, and ABAC — form the foundation of modern security systems. Each model offers a different balance between control, flexibility, and security.
- DAC prioritises user control
- MAC prioritises absolute security
- RBAC prioritises organisational efficiency
- ABAC prioritises flexibility and precision
Understanding these models allows organisations to design access control systems that protect assets, comply with regulations, and support efficient operations.
When implemented correctly and reviewed regularly, access control is not just a security measure — it is a strategic asset.
21. Hybrid Access Control Models
In practice, many organisations do not rely on just one access control model. Instead, they adopt hybrid access control, combining elements of DAC, MAC, RBAC, and ABAC to meet operational and security needs.
Hybrid Model Example
| Scenario | Model Used |
|---|---|
| Job-based permissions | RBAC |
| Time-based access | ABAC |
| Classified data | MAC |
| Personal file ownership | DAC |
Hybrid approaches allow organisations to apply strict controls where necessary while maintaining flexibility elsewhere.
22. Access Control and the Principle of Least Privilege
The principle of least privilege underpins all four access control models. It states that users should be granted only the minimum level of access required to perform their duties.
Benefits of Least Privilege
- Reduced attack surface
- Lower risk of accidental misuse
- Improved accountability
- Easier auditing
Least Privilege Example
| Role | Required Access | Unnecessary Access |
|---|---|---|
| Accounts clerk | Invoicing system | Payroll admin |
| Technician | Maintenance tools | HR records |
Applying this principle strengthens all access control models.
23. Access Control Reviews and Lifecycle Management
Access control must be actively managed throughout the user lifecycle — from onboarding to departure.
Key Lifecycle Stages
- New user creation
- Role or responsibility changes
- Temporary access assignments
- Offboarding and access removal
Review Frequency Table
| Access Type | Review Interval |
|---|---|
| Standard user access | Quarterly |
| Privileged access | Monthly |
| Temporary access | Weekly |
| Dormant accounts | Immediate action |
Regular reviews prevent outdated or excessive permissions.
24. Measuring the Effectiveness of Access Control
An effective access control system should be measurable. Metrics help organisations understand whether controls are working as intended.
Key Performance Indicators (KPIs)
| Metric | Purpose |
|---|---|
| Failed access attempts | Detect potential threats |
| Access violations | Identify policy gaps |
| Time to revoke access | Measure response efficiency |
| Audit findings | Assess compliance |
These measurements support continuous improvement and risk reduction.
25. Access Control as Part of a Wider Security Strategy
Access control is most effective when integrated into a broader security framework, alongside surveillance, monitoring, incident response, and staff training.
Rather than functioning in isolation, access control supports organisational resilience by ensuring that security policies are consistently enforced across people, systems, and environments. When aligned with risk assessments and governance processes — as explored in professional security discussions such as those found at https://williamhale.co.uk/ — access control becomes a long-term strategic safeguard rather than a standalone control.
