{"id":59299,"date":"2022-02-17T13:20:00","date_gmt":"2022-02-17T18:20:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=59299"},"modified":"2024-11-14T12:21:20","modified_gmt":"2024-11-14T17:21:20","slug":"different-types-access-control","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/different-types-access-control","title":{"rendered":"What Are the Different Types of Access Control?"},"content":{"rendered":"\n
While access control via physical barriers, like locked doors, may still have a place in the workplace, the rise of remote and hybrid work revealed the criticality of access control for protecting digital and cloud-based assets. Strong digital access controls are now vital to ensuring security in a work-from-anywhere environment. <\/p>\n\n\n\n
However, access control is not one-size-fits-all; company size, function, existing infrastructure, and other factors influence how businesses should control resource access. In this article, we\u2019ll outline the most common access control methodologies and explore the advantages and drawbacks of each. Check out this access control case study<\/a> for even more information.<\/p>\n\n\n\n Before diving into different types of access control, let\u2019s define a few terms and acronyms you\u2019ll see throughout this article.<\/p>\n\n\n\n Discretionary access control (DAC) assigns privileges based on rules specified by users. Most file systems default to DAC by assigning access control to file creators, who can then assign access parameters to others. Typically, they maintain full control over these settings and can change them at any time. Note that DAC systems usually have a super admin role that can supersede a user\u2019s ownership.<\/p>\n\n\n\n Windows and macOS file systems default to DAC: the user is automatically assigned ownership when they create a file, allowing them to view, edit, and share the file at their discretion.<\/p>\n\n\n\n While taking the burden off of IT can be helpful to IT teams in the short-run, this lack of centralized management can generate problems down the road. If IT ever does decide to change access control approach or needs to centralize resources, they will likely have a hard time doing so when users have generated and assigned access ad hoc.<\/p>\n\n\n\n Environments where users can share data at will, without supervision, are particularly susceptible to ransomware. Further, user-driven access also obscures central visibility and control, which prevents IT administrators from managing all of the organization\u2019s resources and poses additional security risks, as IT admins cannot mitigate threats to resources they don\u2019t know about or can\u2019t access. <\/p>\n\n\n\n With mandatory access control (MAC), the operating system enforces access permissions and restrictions, which are created by a system administrator and based on hierarchical security levels. System administrators configure access rules by assigning security levels to both subjects and objects, and subjects can access anything equal to or lower than their assigned security level in accordance with the prescribed hierarchy. <\/p>\n\n\n\n MAC\u2019s format is well-suited to environments with global levels of security, like government organizations, where restrictions are based on clearance level. In such instances, a document could be assigned a \u201ctop secret\u201d security level, and only users with top secret clearance levels would be able to access that document. <\/p>\n\n\n\n Rule-based access control (RuBAC) uses rule lists that define access parameters. RuBAC rules are global: they apply to all subjects equally. This makes them well-suited to networking equipment like firewalls and routers as well as environments that require strict global policies, like content filtering. Typically, RuBAC policies don\u2019t allow for implicit access; instead, they usually function on an implicit deny basis, only making allowances where rules explicitly say to do so. (Note that some systems can modify these rules.) <\/p>\n\n\n\n A firewall might be given a list of white-listed IP addresses and only grant access to those addresses.<\/p>\n\n\n\n Role-based access control (RBAC) uses roles and user groups to determine access privileges. With RBAC, system administrators assign roles to subjects and configure access permissions to apply at the role level. From there, systems can automatically grant or deny access to objects based on the subject\u2019s role. <\/p>\n\n\n\n With RBAC, privileges mapped to roles tend to remain static, and roles assigned to subjects tend to change more frequently. For example, people may move in and out of a managerial role, but the access privileges granted to managers tend to stay the same. In an environment without much change, this can create a successful set-it-and-forget-it access control process; in an environment where people and roles change frequently, RBAC can quickly become a headache.<\/p>\n\n\n\n A system administrator could restrict financial data access to only C-suite users and the finance team. If someone transferred from the sales department to the finance department, their role change might revoke their CRM access while granting them access to financial data.<\/p>\n\n\n\n Attribute-based access control (ABAC), also known as policy-based access control, is similar to role-based access control, except that it uses the more broad and flexible attribute<\/em> rather than role <\/em>to form policy rules. While a user may be assigned one or two roles \u2014 like remote worker<\/em> and admin <\/em>in a typical role-driven identity management structure, they could be assigned essentially limitless attributes to define and qualify their access parameters. These attributes would not have to influence their position in the organization\u2019s identity management structure.<\/p>\n\n\n\n ABAC evaluates attributes at the time of the attempted login. Because attributes can span a wide array of information, this allows ABAC policies to account for context and real-time information, like the user\u2019s location at the time of login. <\/p>\n\n\n\n Overall, ABAC facilitates complex rules that allow IT admins to create contextual and strategic policies. This makes it a great candidate for disparate and highly variable cloud environments. <\/p>\n\n\n\n Attributes can be created to define the scope of someone\u2019s access, like office branch<\/em> to inform someone\u2019s badge access and Wi-Fi permissions. Attributes could also be created to carry over integration information \u2014 e.g., JumpCloud makes users\u2019 AWS role names an attribute as part of its SSO integration with AWS<\/a> to carry this information over.<\/p>\n\n\n\n In addition, conditional access policies are often attribute based: e.g., if a user logs in from a trusted device and <\/em>from a trusted geographical location, then the user may be granted access. <\/p>\n\n\n\n Businesses should look for solutions that uphold Zero Trust<\/a> by applying the principle of least privilege (PLP) at every access point. This requires an access control strategy that can associate users with permission levels, which includes MAC, RuBAC, RBAC, and ABAC. <\/p>\n\n\n\n MAC is a highly specialized strategy that applies well to government and military structures, but falls short elsewhere. RuBAC can apply PLP to an extent, but its rigid format makes it a bit less dynamic than RBAC and ABAC, and therefore less able to intelligently apply PLP. RuBAC may be sufficient for certain parts of your environment, like firewalls and email content filtering.<\/p>\n\n\n\n RBAC is common in popular market solutions. However, as the world becomes more remote and cloud-first, ABAC\u2019s intuitive policy creation and maintenance are making it the more secure and efficient choice. ABAC\u2019s flexibility also allows it to integrate easily with third-party platforms that use RBAC by associating roles with attributes.<\/p>\n\n\n\n To learn more about why ABAC wins out against other access control methods, check out our blog, The Immediate Benefits of Attribute-Based Access Control<\/a>. <\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Learn about discretionary, mandatory, rule-based, role-based, and attribute-based access control. Compare advantages and drawbacks of each.<\/p>\n","protected":false},"author":144,"featured_media":31097,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23,2781],"tags":[2647,2500,2649,2650,2648],"collection":[2779,2780],"platform":[],"funnel_stage":[3016],"coauthors":[2532],"acf":[],"yoast_head":"\nQuick Definitions<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Discretionary Access Control <\/h2>\n\n\n\n
<\/figure>\n\n\n\n
Discretionary Access Control Example<\/h3>\n\n\n\n
Discretionary Access Control Benefits <\/h3>\n\n\n\n
\n
\n
Discretionary Access Control Drawbacks<\/h3>\n\n\n\n
\n
\n
\n
\n
Mandatory Access Control <\/h2>\n\n\n\n
Mandatory Access Control Example<\/h3>\n\n\n\n
Mandatory Access Control Benefits<\/h3>\n\n\n\n
\n
\n
Mandatory Access Control Drawbacks<\/h3>\n\n\n\n
\n
\n
\n
Rule-Based Access Control<\/h2>\n\n\n\n
Rule-Based Access Control Example<\/h3>\n\n\n\n
Rule-Based Access Control Benefits<\/h3>\n\n\n\n
\n
\n
\n
Rule-Based Access Control Drawbacks<\/h3>\n\n\n\n
\n
\n
Role-Based Access Control<\/h2>\n\n\n\n
Role-Based Access Control Example<\/h3>\n\n\n\n
Role-Based Access Control Benefits<\/h3>\n\n\n\n
\n
\n
\n
\n
Role-Based Access Control Drawbacks<\/h3>\n\n\n\n
\n
\n
\n
\n
\n
Attribute-Based Access Control<\/h2>\n\n\n\n
Attribute-Based Access Control Example<\/h3>\n\n\n\n
Attribute-Based Access Control Benefits<\/h3>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Attribute-Based Access Control Drawbacks<\/h3>\n\n\n\n
\n
Which Access Control Model Is Right for My Environment?<\/h2>\n\n\n\n