Quick Definitions<\/h2>\n\n\n\n
Before diving into different types of access control, let\u2019s define a few terms and acronyms you\u2019ll see throughout this article.<\/p>\n\n\n\n
- \n
- Access control: <\/strong>Access control defines the schemas that prescribe how subjects<\/em> can interact with objects<\/em> in your IT architecture. Organizations can \u2014 and often do \u2014 use different types of access control in different environments.<\/li>\n<\/ul>\n\n\n\n
- \n
- Subjects<\/strong> are the entities that do <\/em>the accessing \u2014 like users and applications.<\/li>\n\n\n\n
- Objects<\/strong> are the entities that receive<\/em> access \u2014 like networks and files.<\/li>\n<\/ul>\n\n\n\n
- \n
- DAC<\/a>:<\/strong> Discretionary access control <\/li>\n<\/ul>\n\n\n\n
- \n
- MAC<\/a>: <\/strong>Mandatory access control<\/li>\n<\/ul>\n\n\n\n
- \n
- RuBAC<\/a>: <\/strong>Rule-based access control<\/li>\n<\/ul>\n\n\n\n
- \n
- RBAC<\/a>:<\/strong> Role-based access control<\/li>\n<\/ul>\n\n\n\n
- \n
- ABAC<\/a>:<\/strong> Attribute-based access control <\/li>\n<\/ul>\n\n\n\n
Discretionary Access Control <\/h2>\n\n\n\n
![\"People](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/02\/discretionary-access-control-1024x683.jpg\")
<\/figure>\n\n\n\nDiscretionary access control (DAC) assigns privileges based on rules specified by users. Most file systems default to DAC by assigning access control to file creators, who can then assign access parameters to others. Typically, they maintain full control over these settings and can change them at any time. Note that DAC systems usually have a super admin role that can supersede a user\u2019s ownership.<\/p>\n\n\n\n
Discretionary Access Control Example<\/h3>\n\n\n\n
Windows and macOS file systems default to DAC: the user is automatically assigned ownership when they create a file, allowing them to view, edit, and share the file at their discretion.<\/p>\n\n\n\n
Discretionary Access Control Benefits <\/h3>\n\n\n\n
- \n
- Flexibility.<\/strong> DAC is flexible, as it allows users to set access parameters for each resource. Resource-by-resource access assignment leaves room for flexible roles or a lack of formal roles. This makes DAC well-suited to small companies without consistent, established processes and where users wear many hats. <\/li>\n<\/ul>\n\n\n\n
- \n
- Decreased IT burden.<\/strong> Allowing users to set access parameters for resources removes the burden of doing so from IT. With IT teams often stretched thin<\/a>, DAC can be a welcome supplement, especially for low-risk resources (like user-generated text documents) that don\u2019t require high-security controls.\u00a0<\/li>\n<\/ul>\n\n\n\n
Discretionary Access Control Drawbacks<\/h3>\n\n\n\n
While taking the burden off of IT can be helpful to IT teams in the short-run, this lack of centralized management can generate problems down the road. If IT ever does decide to change access control approach or needs to centralize resources, they will likely have a hard time doing so when users have generated and assigned access ad hoc.<\/p>\n\n\n\n
- \n
- Increased user burden.<\/strong> Because DAC places access control assignment on the user, they experience additional friction when creating and sharing resources. <\/li>\n<\/ul>\n\n\n\n
- \n
- Poor resource management.<\/strong> DAC\u2019s lack of consistency also complicates resource management, as it doesn\u2019t work with a central source of truth that tracks all resources (like a cloud directory platform<\/a> does). This makes onboarding and offboarding difficult, as access would need to be given and revoked manually, per resource. This can become a security problem if employees are accidentally allowed to keep access to resources after leaving the organization. It also allows for the possibility that an employee may be the sole owner of a resource and its access rights, rendering it inaccessible if they are absent or leave the organization. <\/li>\n<\/ul>\n\n\n\n
- \n
- Inability to scale.<\/strong> Because DAC requires users to manually apply controls per individual resource, it is not suited to high-volume resource creation. This can be a hindrance to users upon project creation, for example. Further, adding or removing users from the environment can complicate assigned access. Granting one new employee access to all the resources they need (which might be owned by different people) could be a time-consuming and convoluted process from the start; doing so for an entire new team could present significant challenges.<\/li>\n<\/ul>\n\n\n\n
- \n
- Lack of security.<\/strong> DAC doesn\u2019t enforce access control standards, and it allows users to change access parameters on a per-resource basis \u2014 both of which almost guarantee inconsistency, and, subsequently, insecurity. Placing access control in users\u2019 hands implicitly trusts every user, which can create vulnerabilities. <\/li>\n<\/ul>\n\n\n\n
Environments where users can share data at will, without supervision, are particularly susceptible to ransomware. Further, user-driven access also obscures central visibility and control, which prevents IT administrators from managing all of the organization\u2019s resources and poses additional security risks, as IT admins cannot mitigate threats to resources they don\u2019t know about or can\u2019t access. <\/p>\n\n\n\n
Mandatory Access Control <\/h2>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/02\/military-computer-access-control.jpg\")
Mandatory access control is common in government and military organizations.<\/figcaption><\/figure>\n\n\n\n With mandatory access control (MAC), the operating system enforces access permissions and restrictions, which are created by a system administrator and based on hierarchical security levels. System administrators configure access rules by assigning security levels to both subjects and objects, and subjects can access anything equal to or lower than their assigned security level in accordance with the prescribed hierarchy. <\/p>\n\n\n\n
Mandatory Access Control Example<\/h3>\n\n\n\n
MAC\u2019s format is well-suited to environments with global levels of security, like government organizations, where restrictions are based on clearance level. In such instances, a document could be assigned a \u201ctop secret\u201d security level, and only users with top secret clearance levels would be able to access that document. <\/p>\n\n\n\n
Mandatory Access Control Benefits<\/h3>\n\n\n\n
- \n
- High security and consistency. <\/strong>MAC restricts the user\u2019s ability to control access policies, even for resources they create; instead, MAC keeps this capability with a centralized security or IT admin team to be enforced by the systems themselves. This keeps security and consistency high. <\/li>\n<\/ul>\n\n\n\n
- \n
- Principle of least privilege. <\/strong>MAC strictly enforces the principle of least privilege (PLP)<\/a>, a cornerstone of Zero Trust security<\/a>. In government organizations, this is often referred to as \u201cneed to know\u201d \u2014 information is only shared with those who need to know it to complete their work. <\/li>\n<\/ul>\n\n\n\n
Mandatory Access Control Drawbacks<\/h3>\n\n\n\n
- \n
- Rigid format. <\/strong>In fluid or frequently changing organizations that don\u2019t have a finite number of global, static security levels, MAC can be too rigid.<\/li>\n<\/ul>\n\n\n\n
- \n
- Manual burden.<\/strong> With MAC, system administrators have to assign attributes to all resources and users manually. System administrators are also the only ones who can change access control settings, so they\u2019re tasked with manually fulfilling all access requests.<\/li>\n<\/ul>\n\n\n\n
- \n
- Difficult scaling and maintenance. <\/strong>Because system administrators are responsible for making all access control changes, organizational changes, new hires, new projects that generate many documents, and other large-scale events put a significant burden on the IT team. To minimize this maintenance, system administrators need to keep a thorough, updated record of all resources and their permissions.<\/li>\n<\/ul>\n\n\n\n
Rule-Based Access Control<\/h2>\n\n\n\n
![\"Networking](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/02\/rule-based-access-control-network.jpg\")
Rule-based access control is commonly used with networking equipment.<\/figcaption><\/figure>\n\n\n\n Rule-based access control (RuBAC) uses rule lists that define access parameters. RuBAC rules are global: they apply to all subjects equally. This makes them well-suited to networking equipment like firewalls and routers as well as environments that require strict global policies, like content filtering. Typically, RuBAC policies don\u2019t allow for implicit access; instead, they usually function on an implicit deny basis, only making allowances where rules explicitly say to do so. (Note that some systems can modify these rules.) <\/p>\n\n\n\n
Rule-Based Access Control Example<\/h3>\n\n\n\n
A firewall might be given a list of white-listed IP addresses and only grant access to those addresses.<\/p>\n\n\n\n
Rule-Based Access Control Benefits<\/h3>\n\n\n\n
- \n
- Centralized security. <\/strong>Only system administrators can create and set rules, which helps keep the IT environment consistent and secure. <\/li>\n<\/ul>\n\n\n\n
- \n
- Flexibility. <\/strong>The if-then structure of RuBAC policies makes them fairly open-ended, allowing IT administrators the flexibility to create customized and granular rules. <\/li>\n<\/ul>\n\n\n\n
- \n
- Scope. <\/strong>Rules can be created around events and other criteria that extend beyond roles and attributes.<\/li>\n<\/ul>\n\n\n\n
Rule-Based Access Control Drawbacks<\/h3>\n\n\n\n
- \n
- Rigidity. <\/strong>While RuBAC policies are open-ended and wide in scope, their strict adherence to rule lists fails to account for business logic and nuance. This makes RuBAC environments less dynamic than attribute-based access control (ABAC) environments.<\/li>\n<\/ul>\n\n\n\n
- \n
- Lack of security.<\/strong> This lack of dynamic policies can create security gaps. For reliable security, systems need the intelligence to detect abnormal activity based on more than a list of rules. While RuBAC can be an advantageous security supplement, the nuances of role-based and attribute-based access control provide more complete security against modern, intelligent threats. <\/li>\n<\/ul>\n\n\n\n
Role-Based Access Control<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/02\/digital-office-hierarchy.jpg\")
Role-based access control schemas are often similar to organizational hierarchies.<\/figcaption><\/figure>\n\n\n\n Role-based access control (RBAC) uses roles and user groups to determine access privileges. With RBAC, system administrators assign roles to subjects and configure access permissions to apply at the role level. From there, systems can automatically grant or deny access to objects based on the subject\u2019s role. <\/p>\n\n\n\n
With RBAC, privileges mapped to roles tend to remain static, and roles assigned to subjects tend to change more frequently. For example, people may move in and out of a managerial role, but the access privileges granted to managers tend to stay the same. In an environment without much change, this can create a successful set-it-and-forget-it access control process; in an environment where people and roles change frequently, RBAC can quickly become a headache.<\/p>\n\n\n\n
Role-Based Access Control Example<\/h3>\n\n\n\n
A system administrator could restrict financial data access to only C-suite users and the finance team. If someone transferred from the sales department to the finance department, their role change might revoke their CRM access while granting them access to financial data.<\/p>\n\n\n\n
Role-Based Access Control Benefits<\/h3>\n\n\n\n
- \n
- Centralized management.<\/strong> Role-based security keeps access management in IT\u2019s hands, which helps maintain consistency, security, and compliance. <\/li>\n<\/ul>\n\n\n\n
- \n
- Intuitive policies.<\/strong> Although policies can become convoluted in complex environments, RBAC policies are typically derived from tangible user parameters, like a department, leadership level, or branch. This makes policy creation more intuitive.<\/li>\n<\/ul>\n\n\n\n
- \n
- Automation. <\/strong>Role-based access control rules can be applied automatically. This streamlines scaling and management when compared to manual methods like MAC and DAC. Further, changing access configurations can be done en masse by changing the permissions of a role, reducing policy configuration time.<\/li>\n<\/ul>\n\n\n\n
- \n
- Easy maintenance in static environments.<\/strong> In static environments without much personnel movement or scaling, RBAC can form a reliable foundation that automatically assigns and applies the right permissions to subjects.<\/li>\n<\/ul>\n\n\n\n
Role-Based Access Control Drawbacks<\/h3>\n\n\n\n
- \n
- Not suited to granular policies.<\/strong> Because new policies often necessitate role creation, RBAC doesn\u2019t lend itself to granular policies. This can decrease security and process efficiency; for example, an enterprise resource planning (ERP) system might not be able to implement efficient processes without granular roles. By contrast, ABAC\u2019s application of business logic allows for granular specificity without implications on the core identity management structure. <\/li>\n<\/ul>\n\n\n\n
- \n
- Affects identity management structures. <\/strong>RBAC\u2019s dependency on user roles means IT admins often must create or alter roles to implement access policies. This can quickly lead to a sprawling core identity management structure. The ability to nest roles further complicates this dependency and can lead to unmanaged roles and security blind spots if not properly managed. <\/li>\n<\/ul>\n\n\n\n
- \n
- High management overhead.<\/strong> RBAC\u2019s tendency to complicate identity management environments necessitates close management, especially in dynamic environments. This means IT will have to be involved with role creation and changes (which could have otherwise been left up to HR and individual departments) as well as close ongoing maintenance of roles and policies in place. <\/li>\n<\/ul>\n\n\n\n
- \n
- Security risk.<\/strong> Failing to manage a role-dependent access environment can lead to decreased visibility, overallocated permissions, and a weak identity management posture \u2014 all of which generate significant risk.<\/li>\n<\/ul>\n\n\n\n
- \n
- Limited scope.<\/strong> As its name suggests, role-based access control is based wholly on roles. This can be limiting, as not every policy intuitively aligns with role. For instance, policies around which Wi-Fi networks users can access may not naturally align with their role in their organization. Creating new roles to account for this factor is an example of how RBAC can lead to role sprawl.<\/li>\n<\/ul>\n\n\n\n
Attribute-Based Access Control<\/h2>\n\n\n\n
![\"Illustration](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/02\/attribute-based-access-control-1.jpg\")
Attribute-based access control allows for flexible and granular policy creation.<\/figcaption><\/figure>\n\n\n\n Attribute-based access control (ABAC), also known as policy-based access control, is similar to role-based access control, except that it uses the more broad and flexible attribute<\/em> rather than role <\/em>to form policy rules. While a user may be assigned one or two roles \u2014 like remote worker<\/em> and admin <\/em>in a typical role-driven identity management structure, they could be assigned essentially limitless attributes to define and qualify their access parameters. These attributes would not have to influence their position in the organization\u2019s identity management structure.<\/p>\n\n\n\n
ABAC evaluates attributes at the time of the attempted login. Because attributes can span a wide array of information, this allows ABAC policies to account for context and real-time information, like the user\u2019s location at the time of login. <\/p>\n\n\n\n
Overall, ABAC facilitates complex rules that allow IT admins to create contextual and strategic policies. This makes it a great candidate for disparate and highly variable cloud environments. <\/p>\n\n\n\n
Attribute-Based Access Control Example<\/h3>\n\n\n\n
Attributes can be created to define the scope of someone\u2019s access, like office branch<\/em> to inform someone\u2019s badge access and Wi-Fi permissions. Attributes could also be created to carry over integration information \u2014 e.g., JumpCloud makes users\u2019 AWS role names an attribute as part of its SSO integration with AWS<\/a> to carry this information over.<\/p>\n\n\n\n
In addition, conditional access policies are often attribute based: e.g., if a user logs in from a trusted device and <\/em>from a trusted geographical location, then the user may be granted access. <\/p>\n\n\n\n
Attribute-Based Access Control Benefits<\/h3>\n\n\n\n
- \n
- Flexibility. <\/strong>ABAC allows IT admins to choose from a wide range of attributes, facilitating flexible policy creation. Attributes can also be created to indicate roles and groups in third-party software, making this access control method friendly to integrations with other identity management solutions.<\/li>\n<\/ul>\n\n\n\n
- \n
- Context. <\/strong>This wide range of attributes allows IT admins to account for context and nuance in policy creation, facilitating more intelligent rules driven by business logic. <\/li>\n<\/ul>\n\n\n\n
- \n
- Easy granularity.<\/strong> ABAC allows IT admins to create policies independently of roles, which makes it easy to create highly specific and granular policies. Attributes don\u2019t have to affect roles or identity management structures, which allows IT admins to create attributes with as much specificity as they need without creating contingencies or altering the identity management structure.<\/li>\n<\/ul>\n\n\n\n
- \n
- Easy management and maintenance. <\/strong>Because attributes can exist without larger implications on the organization\u2019s identity management structure, they require less maintenance and upkeep. Where allowing a role to go unmonitored could lead to obscurity in the environment and overallocated access privileges, allowing an attribute to fall out of use doesn\u2019t necessarily have strong implications on the identity management structure.<\/li>\n<\/ul>\n\n\n\n
- \n
- Efficiency. <\/strong>ABAC automatically applies attributes to policies using business logic, facilitating intelligent policies while still removing the burden of close manual management.<\/li>\n<\/ul>\n\n\n\n
- \n
- Security.<\/strong> The ability to create many custom, intelligent policies that account for people, networks, devices, and environment helps IT admins secure their organization holistically. Further, ABAC\u2019s automatic and intelligent implementation ensures accuracy and reduces the risk of human error.<\/li>\n<\/ul>\n\n\n\n
- \n
- Well-suited to cloud and remote environments. <\/strong>ABAC\u2019s ability to account for devices, networks, and environment make it an ideal choice for remote, hybrid-remote, and cloud-first environments. These environments vary widely; ABAC provides a wide range of attributes and customizability that can adequately protect them. <\/li>\n<\/ul>\n\n\n\n
Attribute-Based Access Control Drawbacks<\/h3>\n\n\n\n
- \n
- Requires a strong foundation.<\/strong> Without a strong, centralized foundation, ABAC can be difficult to implement and control. Organizations should have a cloud directory or similar platform that manages the attributes that will drive policies (users, devices, networks, and environmental factors) to successfully implement ABAC.<\/li>\n<\/ul>\n\n\n\n
Which Access Control Model Is Right for My Environment?<\/h2>\n\n\n\n
Businesses should look for solutions that uphold Zero Trust<\/a> by applying the principle of least privilege (PLP) at every access point. This requires an access control strategy that can associate users with permission levels, which includes MAC, RuBAC, RBAC, and ABAC. <\/p>\n\n\n\n
MAC is a highly specialized strategy that applies well to government and military structures, but falls short elsewhere. RuBAC can apply PLP to an extent, but its rigid format makes it a bit less dynamic than RBAC and ABAC, and therefore less able to intelligently apply PLP. RuBAC may be sufficient for certain parts of your environment, like firewalls and email content filtering.<\/p>\n\n\n\n
RBAC is common in popular market solutions. However, as the world becomes more remote and cloud-first, ABAC\u2019s intuitive policy creation and maintenance are making it the more secure and efficient choice. ABAC\u2019s flexibility also allows it to integrate easily with third-party platforms that use RBAC by associating roles with attributes.<\/p>\n\n\n\n
To learn more about why ABAC wins out against other access control methods, check out our blog, The Immediate Benefits of Attribute-Based Access Control<\/a>. <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each.<\/p>\n","protected":false},"author":144,"featured_media":31097,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23,2781],"tags":[2647,2500,2649,2650,2648],"collection":[2779,2780],"platform":[],"funnel_stage":[3016],"coauthors":[2532],"acf":[],"yoast_head":"\n
What Are the Different Types of Access Control? - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What Are the Different Types of Access Control?\" \/>\n<meta property=\"og:description\" content=\"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-17T18:20:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-14T17:21:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/01\/jumpcloud-logo-2023.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"627\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kate Lake\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kate Lake\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\"},\"author\":{\"name\":\"Kate Lake\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/f8e192cbcdde7ffa4bc2f96c48ceda78\"},\"headline\":\"What Are the Different Types of Access Control?\",\"datePublished\":\"2022-02-17T18:20:00+00:00\",\"dateModified\":\"2024-11-14T17:21:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\"},\"wordCount\":2812,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg\",\"keywords\":[\"access control\",\"access management\",\"attribute based access control\",\"role based access control\",\"user management\"],\"articleSection\":[\"Best Practices\",\"How-To\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\",\"url\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\",\"name\":\"What Are the Different Types of Access Control? - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg\",\"datePublished\":\"2022-02-17T18:20:00+00:00\",\"dateModified\":\"2024-11-14T17:21:20+00:00\",\"description\":\"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/different-types-access-control\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/different-types-access-control#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What Are the Different Types of Access Control?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/f8e192cbcdde7ffa4bc2f96c48ceda78\",\"name\":\"Kate Lake\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/46cab796831a4f3fb686940689408879\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/49d664ae369f57340f0165a652ddb04b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/49d664ae369f57340f0165a652ddb04b?s=96&d=mm&r=g\",\"caption\":\"Kate Lake\"},\"description\":\"Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud\u2019s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).\",\"sameAs\":[\"https:\/\/jumpcloud.com\/blog\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"What Are the Different Types of Access Control? - JumpCloud","description":"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/different-types-access-control","og_locale":"en_US","og_type":"article","og_title":"What Are the Different Types of Access Control?","og_description":"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.","og_url":"https:\/\/jumpcloud.com\/blog\/different-types-access-control","og_site_name":"JumpCloud","article_published_time":"2022-02-17T18:20:00+00:00","article_modified_time":"2024-11-14T17:21:20+00:00","og_image":[{"width":1200,"height":627,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/01\/jumpcloud-logo-2023.png","type":"image\/png"}],"author":"Kate Lake","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kate Lake","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control"},"author":{"name":"Kate Lake","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/f8e192cbcdde7ffa4bc2f96c48ceda78"},"headline":"What Are the Different Types of Access Control?","datePublished":"2022-02-17T18:20:00+00:00","dateModified":"2024-11-14T17:21:20+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control"},"wordCount":2812,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg","keywords":["access control","access management","attribute based access control","role based access control","user management"],"articleSection":["Best Practices","How-To"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control","url":"https:\/\/jumpcloud.com\/blog\/different-types-access-control","name":"What Are the Different Types of Access Control? - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg","datePublished":"2022-02-17T18:20:00+00:00","dateModified":"2024-11-14T17:21:20+00:00","description":"Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each with JumpCloud.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/different-types-access-control"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2019\/04\/ill-authentication-security-tools2x.svg"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/different-types-access-control#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"What Are the Different Types of Access Control?"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/f8e192cbcdde7ffa4bc2f96c48ceda78","name":"Kate Lake","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/46cab796831a4f3fb686940689408879","url":"https:\/\/secure.gravatar.com\/avatar\/49d664ae369f57340f0165a652ddb04b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/49d664ae369f57340f0165a652ddb04b?s=96&d=mm&r=g","caption":"Kate Lake"},"description":"Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud\u2019s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).","sameAs":["https:\/\/jumpcloud.com\/blog"]}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/59299"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=59299"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/59299\/revisions"}],"predecessor-version":[{"id":117437,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/59299\/revisions\/117437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/31097"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=59299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=59299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=59299"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=59299"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=59299"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=59299"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=59299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Requires a strong foundation.<\/strong> Without a strong, centralized foundation, ABAC can be difficult to implement and control. Organizations should have a cloud directory or similar platform that manages the attributes that will drive policies (users, devices, networks, and environmental factors) to successfully implement ABAC.<\/li>\n<\/ul>\n\n\n\n
- Well-suited to cloud and remote environments. <\/strong>ABAC\u2019s ability to account for devices, networks, and environment make it an ideal choice for remote, hybrid-remote, and cloud-first environments. These environments vary widely; ABAC provides a wide range of attributes and customizability that can adequately protect them. <\/li>\n<\/ul>\n\n\n\n
- Security.<\/strong> The ability to create many custom, intelligent policies that account for people, networks, devices, and environment helps IT admins secure their organization holistically. Further, ABAC\u2019s automatic and intelligent implementation ensures accuracy and reduces the risk of human error.<\/li>\n<\/ul>\n\n\n\n
- Efficiency. <\/strong>ABAC automatically applies attributes to policies using business logic, facilitating intelligent policies while still removing the burden of close manual management.<\/li>\n<\/ul>\n\n\n\n
- Easy management and maintenance. <\/strong>Because attributes can exist without larger implications on the organization\u2019s identity management structure, they require less maintenance and upkeep. Where allowing a role to go unmonitored could lead to obscurity in the environment and overallocated access privileges, allowing an attribute to fall out of use doesn\u2019t necessarily have strong implications on the identity management structure.<\/li>\n<\/ul>\n\n\n\n
- Easy granularity.<\/strong> ABAC allows IT admins to create policies independently of roles, which makes it easy to create highly specific and granular policies. Attributes don\u2019t have to affect roles or identity management structures, which allows IT admins to create attributes with as much specificity as they need without creating contingencies or altering the identity management structure.<\/li>\n<\/ul>\n\n\n\n
- Context. <\/strong>This wide range of attributes allows IT admins to account for context and nuance in policy creation, facilitating more intelligent rules driven by business logic. <\/li>\n<\/ul>\n\n\n\n
- Flexibility. <\/strong>ABAC allows IT admins to choose from a wide range of attributes, facilitating flexible policy creation. Attributes can also be created to indicate roles and groups in third-party software, making this access control method friendly to integrations with other identity management solutions.<\/li>\n<\/ul>\n\n\n\n
- Limited scope.<\/strong> As its name suggests, role-based access control is based wholly on roles. This can be limiting, as not every policy intuitively aligns with role. For instance, policies around which Wi-Fi networks users can access may not naturally align with their role in their organization. Creating new roles to account for this factor is an example of how RBAC can lead to role sprawl.<\/li>\n<\/ul>\n\n\n\n
- Security risk.<\/strong> Failing to manage a role-dependent access environment can lead to decreased visibility, overallocated permissions, and a weak identity management posture \u2014 all of which generate significant risk.<\/li>\n<\/ul>\n\n\n\n
- High management overhead.<\/strong> RBAC\u2019s tendency to complicate identity management environments necessitates close management, especially in dynamic environments. This means IT will have to be involved with role creation and changes (which could have otherwise been left up to HR and individual departments) as well as close ongoing maintenance of roles and policies in place. <\/li>\n<\/ul>\n\n\n\n
- Affects identity management structures. <\/strong>RBAC\u2019s dependency on user roles means IT admins often must create or alter roles to implement access policies. This can quickly lead to a sprawling core identity management structure. The ability to nest roles further complicates this dependency and can lead to unmanaged roles and security blind spots if not properly managed. <\/li>\n<\/ul>\n\n\n\n
- Not suited to granular policies.<\/strong> Because new policies often necessitate role creation, RBAC doesn\u2019t lend itself to granular policies. This can decrease security and process efficiency; for example, an enterprise resource planning (ERP) system might not be able to implement efficient processes without granular roles. By contrast, ABAC\u2019s application of business logic allows for granular specificity without implications on the core identity management structure. <\/li>\n<\/ul>\n\n\n\n
- Easy maintenance in static environments.<\/strong> In static environments without much personnel movement or scaling, RBAC can form a reliable foundation that automatically assigns and applies the right permissions to subjects.<\/li>\n<\/ul>\n\n\n\n
- Automation. <\/strong>Role-based access control rules can be applied automatically. This streamlines scaling and management when compared to manual methods like MAC and DAC. Further, changing access configurations can be done en masse by changing the permissions of a role, reducing policy configuration time.<\/li>\n<\/ul>\n\n\n\n
- Intuitive policies.<\/strong> Although policies can become convoluted in complex environments, RBAC policies are typically derived from tangible user parameters, like a department, leadership level, or branch. This makes policy creation more intuitive.<\/li>\n<\/ul>\n\n\n\n
- Centralized management.<\/strong> Role-based security keeps access management in IT\u2019s hands, which helps maintain consistency, security, and compliance. <\/li>\n<\/ul>\n\n\n\n
- Lack of security.<\/strong> This lack of dynamic policies can create security gaps. For reliable security, systems need the intelligence to detect abnormal activity based on more than a list of rules. While RuBAC can be an advantageous security supplement, the nuances of role-based and attribute-based access control provide more complete security against modern, intelligent threats. <\/li>\n<\/ul>\n\n\n\n
- Rigidity. <\/strong>While RuBAC policies are open-ended and wide in scope, their strict adherence to rule lists fails to account for business logic and nuance. This makes RuBAC environments less dynamic than attribute-based access control (ABAC) environments.<\/li>\n<\/ul>\n\n\n\n
- Scope. <\/strong>Rules can be created around events and other criteria that extend beyond roles and attributes.<\/li>\n<\/ul>\n\n\n\n
- Flexibility. <\/strong>The if-then structure of RuBAC policies makes them fairly open-ended, allowing IT administrators the flexibility to create customized and granular rules. <\/li>\n<\/ul>\n\n\n\n
- Centralized security. <\/strong>Only system administrators can create and set rules, which helps keep the IT environment consistent and secure. <\/li>\n<\/ul>\n\n\n\n
- Difficult scaling and maintenance. <\/strong>Because system administrators are responsible for making all access control changes, organizational changes, new hires, new projects that generate many documents, and other large-scale events put a significant burden on the IT team. To minimize this maintenance, system administrators need to keep a thorough, updated record of all resources and their permissions.<\/li>\n<\/ul>\n\n\n\n
- Manual burden.<\/strong> With MAC, system administrators have to assign attributes to all resources and users manually. System administrators are also the only ones who can change access control settings, so they\u2019re tasked with manually fulfilling all access requests.<\/li>\n<\/ul>\n\n\n\n
- Rigid format. <\/strong>In fluid or frequently changing organizations that don\u2019t have a finite number of global, static security levels, MAC can be too rigid.<\/li>\n<\/ul>\n\n\n\n
- Principle of least privilege. <\/strong>MAC strictly enforces the principle of least privilege (PLP)<\/a>, a cornerstone of Zero Trust security<\/a>. In government organizations, this is often referred to as \u201cneed to know\u201d \u2014 information is only shared with those who need to know it to complete their work. <\/li>\n<\/ul>\n\n\n\n
- High security and consistency. <\/strong>MAC restricts the user\u2019s ability to control access policies, even for resources they create; instead, MAC keeps this capability with a centralized security or IT admin team to be enforced by the systems themselves. This keeps security and consistency high. <\/li>\n<\/ul>\n\n\n\n
- Lack of security.<\/strong> DAC doesn\u2019t enforce access control standards, and it allows users to change access parameters on a per-resource basis \u2014 both of which almost guarantee inconsistency, and, subsequently, insecurity. Placing access control in users\u2019 hands implicitly trusts every user, which can create vulnerabilities. <\/li>\n<\/ul>\n\n\n\n
- Inability to scale.<\/strong> Because DAC requires users to manually apply controls per individual resource, it is not suited to high-volume resource creation. This can be a hindrance to users upon project creation, for example. Further, adding or removing users from the environment can complicate assigned access. Granting one new employee access to all the resources they need (which might be owned by different people) could be a time-consuming and convoluted process from the start; doing so for an entire new team could present significant challenges.<\/li>\n<\/ul>\n\n\n\n
- Poor resource management.<\/strong> DAC\u2019s lack of consistency also complicates resource management, as it doesn\u2019t work with a central source of truth that tracks all resources (like a cloud directory platform<\/a> does). This makes onboarding and offboarding difficult, as access would need to be given and revoked manually, per resource. This can become a security problem if employees are accidentally allowed to keep access to resources after leaving the organization. It also allows for the possibility that an employee may be the sole owner of a resource and its access rights, rendering it inaccessible if they are absent or leave the organization. <\/li>\n<\/ul>\n\n\n\n
- Increased user burden.<\/strong> Because DAC places access control assignment on the user, they experience additional friction when creating and sharing resources. <\/li>\n<\/ul>\n\n\n\n
- Decreased IT burden.<\/strong> Allowing users to set access parameters for resources removes the burden of doing so from IT. With IT teams often stretched thin<\/a>, DAC can be a welcome supplement, especially for low-risk resources (like user-generated text documents) that don\u2019t require high-security controls.\u00a0<\/li>\n<\/ul>\n\n\n\n
- Flexibility.<\/strong> DAC is flexible, as it allows users to set access parameters for each resource. Resource-by-resource access assignment leaves room for flexible roles or a lack of formal roles. This makes DAC well-suited to small companies without consistent, established processes and where users wear many hats. <\/li>\n<\/ul>\n\n\n\n
- ABAC<\/a>:<\/strong> Attribute-based access control <\/li>\n<\/ul>\n\n\n\n
- RBAC<\/a>:<\/strong> Role-based access control<\/li>\n<\/ul>\n\n\n\n
- RuBAC<\/a>: <\/strong>Rule-based access control<\/li>\n<\/ul>\n\n\n\n
- MAC<\/a>: <\/strong>Mandatory access control<\/li>\n<\/ul>\n\n\n\n
- Objects<\/strong> are the entities that receive<\/em> access \u2014 like networks and files.<\/li>\n<\/ul>\n\n\n\n
- Subjects<\/strong> are the entities that do <\/em>the accessing \u2014 like users and applications.<\/li>\n\n\n\n