0PricingLogin
Security+ Academy · Lesson

Authorization Models: RBAC, MAC, and DAC

Compare role-based, mandatory, and discretionary access control models and learn when each is appropriate in enterprise and government contexts.

Access Control Models Overview

Access control models define the rules and policies that govern which subjects (users, processes) can access which objects (files, systems, data). The model chosen determines who can grant access, how permissions are assigned, and how enforcement works. The Security+ exam covers four primary models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Rule-Based Access Control. Understanding each model's strengths and appropriate use cases is essential for designing effective authorization systems.

Discretionary Access Control (DAC)

In Discretionary Access Control (DAC), the resource owner has discretion over who can access their resources and can grant or revoke access to other users. The 'discretionary' aspect is that owners decide — the system enforces their decisions but doesn't dictate them. This is the model used in most personal computing environments (Windows NTFS file permissions, Linux/Unix file permissions). The security limitation of DAC is that it requires every resource owner to make correct access decisions — a user who receives access to a file can grant that access to others without administrator involvement, potentially spreading sensitive data beyond its intended audience.

# DAC example: Linux file permissions (owner controls access)
# Create a file and check default permissions
touch confidential_data.txt
ls -la confidential_data.txt
# -rw-rw-r-- 1 alice users  (owner=alice, can read/write; group can read/write; others read)

# Owner (Alice) discretionarily removes all access for others
chmod 600 confidential_data.txt
# -rw------- 1 alice users  (only Alice can read/write)

# Alice grants read to a specific user via ACL
setfacl -m u:bob:r confidential_data.txt

All lessons in this course

  1. Password Policies and Multi-Factor Authentication
  2. Biometrics and Token-Based Authentication
  3. Authorization Models: RBAC, MAC, and DAC
  4. Federated Identity: SAML, OAuth, and OpenID Connect
← Back to Security+ Academy