Role-based Access Control
The Role-based Access Control (Role-BAC or RBAC) model uses roles or groups to determine access. Subjects are placed into specific roles and object permissions are granted to the roles. Although the Role-BAC model doesn’t provide the granularity offered by DAC, it is easier to implement for large groups of people.
Rule-based Access Control
The Rule-based Access Control model is another non-DAC model. Administrators create rules that determine access to resources. As an example, routers have rules within an ACL. These rules identify what traffic the router will pass based on IP addresses, ports, and protocols.
Mandatory Access Control
The Mandatory Access Control (MAC) model is a non-DAC model that uses labels to identify both subjects and objects. It provides the highest level of security among the models (MAC, DAC, Role-BAC, Rule-BAC, and ABAC) and is commonly used by the U.S. military to ensure that data is protected in mission-critical systems.
The U.S. government uses the following classifications for data, from highest to lowest:
• Top Secret
• Secret
• Confidential
• Unclassified
Just because someone has a Top Secret classification, they don’t automatically have access to all Top Secret data. Instead, data owners authorize access based first on their Top Secret security clearance, and second based on their need to know the information for their job. Additionally, it’s possible to create subclassifications or compartments within each classification level.
The MAC model is a non-DAC model that uses labels to control access to data. It is the most secure model when compared to other access control models.