<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

3 Types of Access Control: IT Security Models Explained

Summary: In this article, we will look at three important types of access control in security. You’ll learn about the different types of access control, how they work, and their pros and cons. By the end of this article, you’ll understand what type of access control will work best for your organization and meet your security needs. 

What Is Access Control in Cybersecurity?

Access control is a security framework that determines who has access to which resources through previously placed authentication and authorization rules. Access controls authenticate users by verifying login credentials, including usernames, passwords, PINs, security tokens, and biometric scans.

Some types of access control systems authenticate through multi-factor authentication (MFA), which requires multiple authentication methods to verify the identity. Once a user is authenticated they are given the appropriate level of access and permissions depending on their identity.

In other words, access control consists of:

  • Assigning users the appropriate permissions to access files and resources
  • Enabling an authenticated user to sign in to the network with the correct credentials

Here are three major types of access control and their advantages.

⚠️ Traditional PAM deployments have gaps. Learn how to protect your databases, the cloud, Kubernetes, and more with our legacy PAM augmentation guide.

3 Types of Access Control

1. Discretionary Access Control (DAC)

DAC provides access rights depending upon the rules already set by the administrators. In this type of access control model, each resource has an owner or admin that decides to whom to give access and at what level. 

How does it work?

DAC decentralizes security decisions, allowing administrators and resource owners to give access to users at specified levels. It uses ACLs (access control lists), which define at what level to give users permission to a particular resource. 

Pros & Cons

DAC is simple to use, and as long as users and roles are listed correctly, it’s easy to access resources. Since access control is decentralized, administrators or owners can easily add or remove permissions. Owners and users (depending on their privileges) can control access to their data, which gives them the ability to read, make changes, or delete files.

Because of its simplicity and flexibility, DAC can pose a security risk to large organizations, businesses handling sensitive data, or a combination of these. Assigning permissions to individual users is a time-consuming task for large enterprises, and mistakes made by users given improper permissions can be detrimental when dealing with important files.

2. Role-Based Access Control (RBAC)

System administrators use the RBAC (or non-discretionary) access control model to give access based on the organizational roles, rather than considering a single user account within a company. Only people with roles that need to do the particular work are given access to the resource.

How does it work?

With RBAC, administrators define roles and determine the resources that a role needs access to. Each user is then assigned to a role that gives them the appropriate permissions to do their job. Users can join different groups but can only be given one role.

Pros & Cons

RBAC helps to reduce administrative work by enabling admins to assign a user to a role with predefined permissions, as opposed to assigning each permission to a user one at a time. It provides an easy way for administrators to show that all the data and important information is handled according to confidential standards. 

It can be challenging for administrators to assign roles in large or growing organizations, where roles may regularly be created or tailored to fit the needs of the organization. Admins need to maintain an up-to-date understanding of roles to properly maintain role categorizations and manage their access requirements. This often requires collaboration between teams to properly implement RBAC in an organization, which impacts the workload of other team members.

3. Attribute-Based Access Control (ABAC)

In contrast to the role-defined access control method of RBAC, ABAC is a complex strategy that applies a multitude of attributes to both users and resources. While it is more complicated than RBAC, it gives admins the flexibility to make decisions according to context and evolving levels of risk.

How does it work?

Users are only able to access resources that have corresponding attributes. Attributes can include user demographics such as job title or security clearance; resource properties such as file type or creation date; and even environmental characteristics such as access location or time. 

Pros & Cons

ABAC makes it possible for organizations to implement extremely granular yet flexible security policies that can be implemented across a wide variety of resources. Not only does this make security policies adaptable to changing business requirements, but it keeps security tight with the ability to add or modify policies as needs arise. 

The granularity of ABAC policies means that it takes significant time and resources to create and apply attributes to users and resources. Likewise, maintaining that level of detail is also challenging for admins for large, growing, or dynamically changing teams.

How StrongDM Simplifies Access Control

Companies need to use the access control method that best protects their confidential information for their needs. StrongDM combines the power of both RBAC and ABAC for a security boost that eases the burden on administrative teams.

With StrongDM’s access control model, organizations get:

  • Streamlined workflows: Reduced admin work makes it easier for users to access the resources they need when they need them.
  • Fast response time: Admins can quickly approve access requests for time-sensitive projects.
  • Security that meets simplicity: Thorough access rules are easy to set up and modify to meet evolving needs.

Secure Your Resources With StrongDM

Each type of access control system comes with its own benefits and limitations. DAC will work well for companies with limited resources and limited risk, but organizations that prioritize speed, security, and flexibility — particularly if they work with confidential or sensitive information — should use both RBAC and ABAC access control models. 

StrongDM can help. Sign up for our 14-day trial today to see how StrongDM can help your business manage your security needs for the long haul.

About the Author

, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Fine-Grained vs. Coarse-Grained Access Control Explained
Fine-Grained vs. Coarse-Grained Access Control Explained
If credentials fall into the wrong hands, intruders may enter a network and launch a disastrous attack. In fact, 46% of cybersecurity incidents involve authentication credentials, according to the Verizon 2022 Data Breach Investigations Report. Organizations have two general ways to determine someone’s access rights once past initial authentication: Coarse-grained access control (CGAC), which relies on a single factor, and fine-grained access control (FGAC), which relies on multiple factors. Traditionally, CGAC has been the easier option, while FGAC offers superior security at the cost of more complex implementation.
SSH and Kubernetes Remote Identities
Supercharge Your SSH and Kubernetes Resources with Remote Identities
Learn how Remote Identities helps you leverage SSH and k8s capabilities to capitalize on infrastructure workflow investments you’ve already made.
strongdm program gif with animated title flashing onto the image
StrongDM kicks it into overdrive
With the release of tighter integrations with Okta and Azure AD (or any SCIM-based directory service for that matter), you now have the ability to manage just-in-time, least-privilege access to your critical infrastructure right from your preferred identity provider (IdP), dramatically reducing the time needed to approve requests and grant access.
2022 glasses with confetti and year of access words
Welcome to the Year of Access
strongDM asked 600 DevOps pros about the state of infrastructure access today. Their response? It’s out of control. Here’s an overview of our results.