UNDERSTANDING ROLE AND RULE-BASED, MANDATORY AND DISCRETIONARY ACCESS CONTROL MODELS
Trusted by 100,000+ organizations globally
While strong, versatile and adaptive physical security strategies will always be a top priority for business and property owners, a balance must be achieved with policies able to prevent potential intrusion events that don’t hinder employees from accessing essential resources.
Reliable and effective access control will be deployed with adaptability in mind, making use of intelligently designed methodologies intended to grant varying degrees of access to relevant employees, residents and visitors based upon a predetermined and informed ruleset.
This is the concept behind access control models: systems that allow admins or system administrators to better manage user permissions and grant property access based on measurable criteria such as time, company role and security clearance. This guide will detail the most commonly implemented variations of access control model, as well as describe use cases, system benefits, best practices and unique user considerations.
Types of access control models, methods and examples
Before describing the operation of each access control method in detail, it’s important that business and property owners gain a clear understanding of what access control actually entails. When security teams discuss the use of access control methods, they are likely referring to these factors:
- Identifying an individual and their specific organizational role
- Authenticating that individual using only their issued credentials
- Unlocking a door or a digital asset without compromising additional data
Alongside systems used to secure building entry points and physical spaces, access control can also be deployed as a digital security measure. In these configurations, access control methods can be used to:
- Grant access to computer networks using passwords, usernames or other credentials
- Grant access to digital files, hardware and software required for specific organizational roles
- Grant and monitor user permissions to ensure that staff are able to work efficiently
Most access control methods can be categorized using one (or more) of these five models or access control lists:
- Rule-based access control (RuBAC)
- Role-based access control (RBAC)
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
These access control models describe the way in which an installed security system is instructed to operate, including the parameters that must be met to grant building, room or elevator access, the way that unique user permissions are understood and the ruleset used to inform wider security policies.
Choosing the most appropriate access control models will require the system administrator or business owner to consider the unique needs of the access control system installation, including the type and size of the building, the number of individuals requiring regular access, the intended variability of granted permissions and the overall level of on-site security deemed necessary for the organization.
What is rule-based access? (RuBAC)
Rule-based access control is used to manage access to locations, databases and devices according to a set of predetermined rules and permissions that do not account for the individual’s role within the organization. In other words, if the user does not meet a set of predefined access criteria, they will be locked out of the access control network regardless of their level of security clearance.
What is role-based access control? (RBAC)
Role-based access control is an operational configuration for physical and cyber entry point management designed to grant access permissions based only on the role of the user within an organization. Simply put, levels of access are determined by the user’s job title rather than other predefined rules such as time, frequency of use or other similarly measurable variables.
Mandatory access control (MAC)
Mandatory access control is the strictest configuration organizations can deploy in which all access decisions are made by one individual with the authority to confirm or deny permissions. This model is commonly used by organizations with high-level security needs, like government agencies and financial institutions, as access to confidential areas and data must be highly controlled and traceable.
Discretionary access control (DAC)
In contrast to MAC, discretionary access control models describe a system in which any user granted access permissions by an administrator can edit and share those permissions with other members of an organization. This means that once the end user has access to a location or a digital system, they’re able to grant the same privileges to any other person at their own personal discretion.
Attribute-based access control (ABAC)
Attribute-based access control (also referred to as a policy-based access control method) is a methodology in which permissions are granted based on the evaluated attributes or characteristics of the employee rather than only their specific role. Attributes can include desired actions, job roles and the classification of the object or location in question. If an employee fails to meet all these criteria access will be denied.
When to use a rule-based access control model
If an organization adopts this model of access control, appointed security administrators will be tasked with setting high-level rules used to determine exactly how, where and when employees of all levels are able to access certain locations, databases and other specific company resources.
With a rule-based system in place, employees will present personally issued access credentials to be checked against a predetermined list of requirements. If all needs are met, access will be granted.
Rule-based access control examples
Under this methodology, company roles may be overridden by certain rules implemented by the administrator. For example, IT staff may have access to server rooms based on their company role, though a rule denying access after a certain hour would take precedence to deny these credentials.
In operation, an example of rule-based access would be that an administrator has programmed access hours for a building in line with a regular working day, meaning regardless of an individual’s role within the company, no active credentials will be accepted by the access control network outside the hours of 9am-5pm.
Rule-based models for access control can also be utilized in conjunction with additional systems, allowing administrators to set prioritized levels of security in response to specific risks and potential threats. A role-based system may be in place to provide basic access instruction, with rules outlining additional criteria such as:
- Time — Access is only granted at predetermined times
- Threat level — If additional security features are triggered all access is denied
- Contextual values — Access is dependent on factors such as server load, occupancy, workflows or devices
Rule-based access control benefits
Rule-based access control offers a flexible approach to building security, with admins able to completely restrict access to certain areas in reaction to evolving requirements, though as these rules are likely to change fairly regularly, RuBAC systems can be time-consuming to manage and adjust.
Management of RuBAC systems can be made a little easier by clearly outlining the type of rulesets the network is configured to follow. Static rules can be implemented which will not change without admin permission; dynamic rules can be set to change under certain circumstances; and implicit deny rules can be utilized to block access to any user lacking specifically defined access credentials.
Further benefits to the use of RuBAC models include:
- Fast authorization — Access requests are assessed quickly using predefined rules
- Granular controls — Multiple variables can be defined and implemented within rules
- Flexible adjustments — Site-wide rules can be changed without adjusting RBAC systems
- Wider compliances — Industry regulations can be maintained using blanket rulesets
Rule-based access control best practices
As rule-based permissions will commonly be implemented alongside additional access control models and be expected to override certain aspects of the wider security network, a number of best practices must be followed when designing and implementing an effective rule-based access control network.
- Define existing access rules — Document the rules that apply to both individual access points and the network as a whole. This will include locating high-risk areas and ensuring that specific rules are applied to these entry points, with regular assessments to prevent new vulnerabilities being exposed.
- Understand exceptional scenarios — Assess the access control network to identify any potential instances in which additional rules may mitigate risks. For example, if the entire site is experiencing a security lockdown, which sets of credentials will be required to access integral building functions?
- Avoid conflicting permissions — Understand how proposed rules may relate to the parameters set by existing access control systems like IP door access control systems to ensure that a conflict does not wrongly grant or deny access.
- Publish rules — Ensure any rules impacting sitewide security systems are clearly documented and accessible to all employees, including updates and changes that may affect daily operations.
When to use role-based access control methods
Role-based access control operates using the least privilege principle, in which a user is only granted access to the specific areas and resources necessary for them to perform their role within an organization. Access in these situations will commonly be based on factors like seniority and job title.
Managing these permissions can be a little difficult if an employee has multiple roles within the organization, though multiple sets of credentials can be issued to the same physical access device.
What is a role-based access control example?
By implementing a RBAC model, security teams can ensure that all team members are restricted to predefined areas with little need for administrative monitoring. For example, management teams will be granted access to most entry points and databases, specialist workers will have access to relevant resources and low-level employees will be restricted to communal areas and low-risk environments.
This means a member of the IT department can use their credentials to access communal areas and role-specific locations such as server rooms, while office staff may only be able to access the main entrance of the building, meeting rooms and the office space itself. This system allows admins to manage the credentials of large workforces without individually assessing each staff member.
Role-based access control advantages and disadvantages
As with any security system, there are key role-based access control benefits and drawbacks to the use of these models.
RBAC systems can provide:
- Reliable security — With permissions granted on a need-to-know basis, admins can be assured that staff are only able to access locations and resources essential to their roles.
- Simple management — Configuring and adjusting permissions can be reduced to a small number of roles, requiring less administrative resources to manage large workforces.
- Easily issued credentials — When new employees are hired, or existing staff are promoted, relevant credentials can be issued immediately without needing to create new profiles.
- Company-wide consistency — Organizations that operate across multiple sites can ensure that the same role carries identical permissions across the business.
Some potential drawbacks to the use of RBAC systems include:
- Inflexibility — As role-based permissions are designed to address large numbers of staff with one policy, credentials cannot be customized to fit individual or dynamic use cases.
- Requires organizational structure — For RBAC models to be effective, there must be a clearly defined hierarchy, which isn’t always present in start-ups and scaling businesses
Role-based access control best practices
Before implementing a role-based access control model, organizations should consider:
- Existing access profiles — Draw up a plan of all building access points and rank required security levels from lowest to highest. Compare this with a list of employees with access to high-security areas and ensure that all high-risk locations are linked to an authorized role.
- Create access profiles — Identify which areas and permissions will be required for employees in each role to perform their duties.
- Publish roles and permissions — Ensure that all employees understand issued permissions by publicly posting all policies.
- Regularly review the system — Listen to feedback from staff and record any access issues that can be used to revise the RBAC model over time.
Rule-based vs. role-based access control models
Rule-based and role-based access control models are similar in operation, both are mandatory (not discretionary) systems in which employees are unable to edit permissions or control access, though there are a few differences that may indicate a preferential model for certain situations. When figuring out which access control methods are right for your organization, consider the following factors.
Rule-based models are a preventative security measure, meaning these systems are unable to determine clearance levels. Rather, their purpose is to prevent unauthorized access. Conversely, role-based models are proactive in that these systems provide staff with the means to prove their own authorization.
Rule-based models ignore job titles in favor of strict rules that must be addressed to gain access. Role-based models instead grant permissions based entirely on the user’s role within the company. In larger organizations where roles are clearly defined, RBAC methods might be easier to manage, while smaller organizations where employees need different levels of access depending on a variety of factors may be better suited for RuBAC models.
Rule-based models are ideal for large workforces as access parameters are far reaching and generic, while role-based models can cater to individuals based on their role on a case-by-case basis.
What is the difference between RBAC and ABAC?
Let’s look at role-based access control vs. attribute-based access control. The main difference when it comes to a role-based access control vs. attribute-based access control model is the way that admins configure access parameters. In a role-based system, access is confirmed or denied based only on job title; ABAC systems instead rely on approved attributes or characteristics.
If you are therefore weighing rule-based access control vs. attribute-based access control, consider whether your business could allow access based on just job title, or whether you need additional criteria and characteristics. Characteristics may include job titles, though can extend to criteria such as project memberships and clearance levels, creating a more precise — though harder to implement — security system.
What is the difference between RuBAC and ABAC?
When comparing rule-based access control vs. attribute-based access controls, again the primary difference is the way parameters are configured. In a RuBAC model, access is evaluated in response to a set of predetermined rules, while ABAC systems measure approved attributes to grant access.
The difference here is the type of information used. Rules are often related to external factors like working hours, schedules and specific devices, while attributes will be reliant on personal information such as active projects, work status and security clearance level.
Both configurations consider multiple variables when determining access parameters, and both can be implemented alongside additional models such as role-based systems; only the variables used differ.
Mandatory access control vs. discretionary access control models
In terms of discretionary access control vs. mandatory access control, these two models differ greatly. MAC models rely heavily on admins configuring access parameters based on predetermined rules and organizational roles, providing more security though often proving time-consuming to implement.
DAC models instead provide users with some individual control over their data, with staff able to grant permissions at their own discretion. This makes DAC systems incredibly flexible and scalable. However, as credentials can be shared freely amongst staff, DAC models are known to present some exploitable security risks.
Choosing the most logical access control methods and models for your organization
So, which is the most logical access control method for your property? When it comes to access control models, property owners should consider the pros and cons of rule- and role-based systems, as implementing the most appropriate methodology will aid security teams in managing access to physical locations and digital information in an efficient and reliable manner.
Leveraging multiple access control models can help to customize physical security technology in line with the unique needs of an installation, though businesses will need to consider aspects such as staff numbers, building size and the level of security required before selecting the most appropriate configuration, as well as the effort and resources to effectively develop and manage the access control models as business needs change.
Have questions? We can help
Our video security experts can help you implement the right security system for your business.