Compare and contrast access control models
Understanding Cisco Cybersecurity Fundamentals (210-250)
Discretionary Access Control
Discretionary Access Control (DAC) allows the owner of the data to assign read or write rights to each file to whomever they choose. This makes it very flexible, but there is no central control. It is also prone to violations of security policy.
Mandatory Access Control
Mandatory Access Control (MAC) is enforced by the operating system or access policy enforcer. In MAC every piece of data is classified and permissions are granted by a user’s rights to each classification. It has a very strict control, but can be harder to manage.
Role Based Access Control
Role Based Access Control (RBAC) uses the role assigned to the subject (user) to determine rights. Every user with the same role, gets the same rights. This makes it very easy to manage and very scalable.
Attribute-Based Access Control
Attribute-Based Access Control (ABAC) uses attributes of the subject, object and environment to make access decisions. It provides very flexible access control, but has more complexity compared to DAC or RBAC.