Sunday, August 5, 2018

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization.

These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, which differs depending on the type of access control model embedded into the system. For every access attempt, before a subject can communicate with an object, the security kernel reviews the rules of the access control model to determine whether the request is allowed.

So let’s understand what do these models have to say about themselves:

1. Discretionary Access Control Model

If you have used any platform such as Windows, Mac or Linux, you can easily understand and appreciate this model. If you create a folder in any of these, you can easily add/delete/modify the permissions which you want to give to different subjects. Sounds confusing? Well, it isn’t. Let’s take an example to understand this.


I have created a folder named “SSCP Video Course”. Now since I’m the owner, it is my discretion to assign various permissions for users. I can go to the”Security” Tab and “Edit” permissions and define what users need to be given “Full control” or which users can only be given “Read” Access.
A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner.

There is another term which is used quite often with reference to the models. It is the Access Control List. An ACL for a file would list all the users and/or groups that are authorized access to the file and the specific access granted to each.

While all seems good in the world of DAC, there are some issues with this model. While this model offers the best flexibility amongst any of the model, it is also its weakest point. For example, if a user opens an attachment that is infected with a virus, the code can install itself in the background without the user being aware of this activity. This code basically inherits all the rights and permissions that the user has and can carry out all the activities a user can perform on the system. It can send copies of itself out to all the contacts listed in the user’s e-mail client, install a back door, attack other systems, delete files on the hard drive, and more. The user is actually giving rights to the virus to carry out its dirty deeds, because the user has very powerful discretionary rights and is considered the owner of many objects on the system. And the fact that many users are assigned local administrator or root accounts means that once malware is installed, it can do anything on a system.

2. Mandatory Access Control (MAC) Model

Do not confuse this with Apple MAC, this model is not even remotely related to it. This model is the complete opposite of the DAC model.  In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based on a MAC model greatly reduces the number of rights, permissions, and functionality a user has for security purposes.

You would have surely seen movies where Ethan Hunt or Jason Bourne try to access top secret or confidential files which they do not have access too. Well, the MAC model uses security labels to help implement it. Security labels are attached to all objects; thus, every file, directory, and the device has its own security label with its classification information. Now Jason Bourne may have a security clearance of secret, but in order to find his identity, his requests may have a security label with the classification of top secret. In this case, he will be denied because his clearance is not equivalent or does not dominate (is not equal to or higher than) the classification of the object.

This type of model is used in environments where information classification and confidentiality is of utmost importance, such as military institutions, government agencies, and government contract companies.

The problem with DAC was that the malware could inherit all permissions which the user had and could install itself on the system. However, in the MAC systems, this isn’t the case. Since users that work within a MAC system cannot install software, the operating system does not allow any type of software, including malware, to be installed while the user is logged in. But while MAC systems might seem an answer to all our security prayers, they have very limited user functionality, require a lot of administrative overhead, are very expensive, and are not user-friendly. DAC systems are general-purpose computers, while MAC systems serve a very specific purpose.

3. Role Based Access Control (RBAC) Model

If you work in a large organization, you can easily understand that the permissions if awarded user wise, could become a herculean task. Why not adopt a simple way then? The RBAC does exactly that. RBAC simplifies the process by allowing the security administrators to provide the same level of access permissions to a particular group. If you have 3 people who have joined your organization, one in the R&D, another in the HR department and the third one in the sales role. As a security administrator, using RBAC, all access permissions will be awarded to them in a jiffy. How? Just by adding each one of them into their respective groups.

The moment the person is added to the HR group, the RBAC model, extends all privileges in this group to the new person who has been added.

In a similar manner, if a person leaves the role, the security administrator just needs to remove this person from the group and all privileges would be revoked immediately.

4. Rule-Based Access Control Model

This model is simply based on the premise that “If X Then Y”. Rules are pre-defined and those are in order to provide access permissions. Forex- Firewalls include a set of rules or filters within an ACL,
defined by an administrator. The firewall examines all the traffic going through it and only allows traffic that meets one of the rules. Firewalls include a final rule (referred to as the implicit deny rule) denying all other traffic. For example, the last rule might be “deny all” to indicate the firewall should block all traffic in or out of the network that wasn’t previously allowed by another rule.

If this sounds too complex, then consider the following statement. If the role id of the person is XXX such as RND for research development, you can give him default access to the top 3 basic folders. The system would follow this simple rule and access would be provided only to such people.

Rule-based access allows a developer to define specific and detailed situations in which a subject can or cannot access an object, and what that subject can do once access is granted. Traditionally, Rule-based access control has been used in MAC systems as an enforcement mechanism for the complex rules of access that MAC systems provide.

While the rule-based model is commonly used in firewalls and routers to implement access control permissions, a basic drawback here is that it is very complex and unproductive to provide the further granularity of access. In simple terms, Rule-based models enforce rules on all the users and if you start devising rules for granularity, the system loses its ease of usefulness.

5. Attribute-Based Access Control (ABAC) Model

Consider this example – A person who belongs to the R&D department, working on the secret project of Genetic Mutation and having the role of super senior specialist and above must only be able to access the website “” only from office premises and from timings 0900 hours to 1700 hours. 

Well, this sounds quite simple to implement, isn’t it? If you configure this through the Rule Based Access Control, it would become quite complex.

To solve such complex access issues, we have the Attribute Based Access Control Model (ABAC). It is an advanced implementation of RBAC model. Attributes can be almost any characteristic of users, the network, and
devices on the network. It is this attribute which is exploited and used to implement the ABAC model.

How would ABAC solve the above problem? Well, you just need to enter the attributes of the person and then configure the rule. The attributes which can be extracted from the problem are R&D, Genetic Mutation, Super Senior Specialist, Office Network & Timings. If a person has these attributes which can be added or removed at any point in time, he can access the website and the firewall will not block it.
From an RBAC perspective, every attribute would have to be checked with a rule, which would have consumed a lot of resources when access decisions need to be taken in a jiffy. A user will not wait for an hour to know whether he can access or cannot access a website. The system must evaluate the request basis the rules/attributes and provide an answer immediately.

Hence, in a nutshell, the Rule-based access control applies to all users, but the ABAC can be much more specific.

From an exam perspective, these models are extremely important. As a security professional, you must have clarity on these models to help guide organizations as to which combination of these IAM models would support their work culture best.

What do you think of the article? Do let me know your thoughts in the comments section below.

No comments: