Access control is a foundational component of data security that oversees the policies and processes through which individuals access company information and resources. Through authentication and authorization, access control policies ensure that sure users are who they say they are and that they have appropriate access to company data. Access control can also be implemented by an organization to limit physical access to campuses, buildings, rooms, and datacenters.
The four access control models are:
Discretionary access control (DAC): In this method, the owner or administrator of the protected system, data, or resource sets the policies for who is allowed access.
Mandatory access control (MAC): In this nondiscretionary model, people are granted access based on an information clearance. A central authority regulates access rights based on different security levels. This model is common in government and military environments.
Role-based access control (RBAC): RBAC grants access based on defined business functions rather than the individual user’s identity. The goal is to provide users with access only to data that has been deemed necessary for their roles within the organization. This widely used method is based on a complex combination of role assignments, authorizations, and permissions.
Attribute-based access control (ABAC): In this dynamic method, access is based on a set of attributes and environmental conditions, such as time of day and location, assigned to both users and resources.
Our Guide to Risk Domains introduces and defines other critical and current risk domains – download here.