Access Control Methods

MAC – Mandatory Access Control

  • Used in envornments requiring high levels of security (Government, Military)
  • Need to Know
  • Each access control subject (users & programs) are assigned clearance labels and access control system objects are assigned sensitivity labels.
  • No read up – No write down applied to each subjects sensitivity level. This is the “MANDATORY” part!
  • 3 levels of confidentiality (Confidential, Secret, Top Secret)

DAC – Discretionary Access Control

  • Owner of the access control object determines the privileges (read, write, execute etc) of the access control subjects.
  • Not scalable and rely upon individual decisions.
  • Uses ACLS on the access object
  • Windows File and Folder security in a Work Group.
  • Primary difference between MAC and DAC is that MAC employs labeling and while MAC requires both object owner and system permission, DAC only requires the access control object owner’s permission

NDAC – Non Discretionary Access Control

  • Non-discretionary access control differs from discretionary access control in that the definition of access rules are tightly controlled by a security administrator rather than by ordinary users.

RBAC – Role-Based Access Control