Access Control Methods

Authentication, authorization, and accounting (AAA) are the three main components of access control. Authentication answers the question, "Who are you?" Authorization answers the question, "What are you allowed to access?" Accounting answers the question, "What did you do in the system?" Together, these components help ensure that only authorized users have access to sensitive information and resources.

This section will focus on the different methods of access control, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Each method has its own strengths and weaknesses, and understanding these differences is crucial for implementing effective security measures.

Discretionary Access Control (DAC)

Discretionary access control (DAC) is a type of access control where the owner of a resource has the ability to determine who can access it. In DAC, users are granted permissions based on their identity and the resources they own. This means that users can grant or revoke access to their resources at their discretion. DAC is often used in environments where users need to share resources with others, such as in a collaborative work environment. However, it can also lead to security risks if users are not careful about who they grant access to.

Advantages of DAC:

  • Flexibility: Users can easily grant and revoke access to their resources.
  • Simplicity: DAC is easy to understand and implement.
  • User control: Users have control over their own resources and can manage access as needed.

Disadvantages of DAC:

  • Security risks: Users may inadvertently grant access to unauthorized users.
  • Lack of centralized control: There is no central authority to manage access permissions, which can lead to inconsistencies and security gaps.
  • Complexity: As the number of users and resources increases, managing access permissions can become complex and difficult to maintain.

Google Drive uses DAC to manages access to files and folders. For example, I created a file in my Google Drive. As shown in the screenshot below, I can share the file with anybody on the internet. My employer might not be happy with me sharing this file with the world, but there is nothing stopping me from doing so. I can also share the file with specific people, and I can set their permissions to view, comment, or edit.

Google Drive DAC Example

Mandatory Access Control (MAC)

Mandatory access control (MAC) is a type of access control where access permissions are determined by a central authority based on the classification of the resource and the user's security clearance. In MAC, users cannot change access permissions; they can only access resources based on their assigned security level. MAC is often used in environments where security is a top priority, such as government and military organizations. It provides a higher level of security than DAC, but it can also be more complex to implement and manage.

Advantages of MAC:

  • High security: MAC provides a high level of security by enforcing strict access controls based on security classifications.
  • Centralized control: A central authority manages access permissions, reducing the risk of unauthorized access.
  • Consistency: Access permissions are consistent across the organization, reducing the risk of security gaps.

Disadvantages of MAC:

  • Complexity: Implementing and managing MAC can be complex and time-consuming.
  • Inflexibility: Users cannot change access permissions, which can limit collaboration and resource sharing.
  • User resistance: Users may resist the restrictions imposed by MAC, leading to frustration and decreased productivity.

Consider the following example of MAC. Employees in the federal government (Alice, Bob, and Eve) have different clearances. Alice has a Secret clearance. Bob has a Top Secret clearance with the Nuclear compartment. Eve has a Top Secret clearance. The diagram below shows which files Alice, Bob, and Eve can access. Note that because Eve has a Top Secret clearance, she can access everything at or below her clearance level. However, she cannot access the Nuclear compartment because she does not have that compartment clearance. Managing clearances and compartments can be complex. Also, the permissions to each file need to be set.

MAC Example

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is a type of access control where access permissions are based on the user's role within the organization. In RBAC, users are assigned to roles, and each role has specific access permissions associated with it. This means that users can only access resources that are relevant to their role. RBAC is often used in environments where users have different responsibilities and need different levels of access to resources. For example, in a healthcare organization, doctors may have access to patient records, while administrative staff may only have access to scheduling information. Often, companies implement RBAC using Active Directory (AD). AD contains all users accounts in an organization. The IT department creates a Security Group for each role and assigns users to the appropriate groups. The IT department then sets up permissions on resources so that only members of the appropriate group can access them. Users can be members of multiple groups, and the permissions are cumulative. For example, if a user is a member of both the "Accountants" and "Managers" groups, they will have access to all resources that are available to both groups.

Advantages of RBAC:

  • Simplified management: RBAC simplifies access management by grouping users into roles, making it easier to manage access permissions.
  • Improved security: RBAC reduces the risk of unauthorized access by ensuring that users only have access to resources relevant to their role.
  • Flexibility: RBAC can be easily adapted to changing organizational needs by adding or modifying roles.
  • Scalability: RBAC can scale to accommodate large numbers of users and resources, making it suitable for organizations of all sizes.

Disadvantages of RBAC:

  • Complexity: Implementing and managing RBAC can be complex, especially in large organizations with many roles and resources.
  • Role explosion: As the number of roles increases, managing access permissions can become cumbersome and difficult to maintain.
  • Inflexibility: RBAC may not be suitable for environments where users need to frequently change roles or access permissions.
  • User resistance: Users may resist the restrictions imposed by RBAC, leading to frustration and decreased productivity.

For example, consider a company that uses RBAC to manage access to its files. The company has accountants. The accountants need access to specific folders. The Information Technology (IT) department creates a Security Group (i.e., a role) called "Accountants." The IT department sets up the permissions on each folder so that only members of the "Accountants" group can access the folders. When an accountant joins the company, the IT department adds them to the "Accountants" group. The accountant can then access the folders without needing to request access each time. When an employee leaves the company, the IT department removes them from the "Accountants" group. This ensures that the employee no longer has access to the folders. The following diagram illustrates the RBAC model. It is important to note that any time changes to permissions are made, the IT department must be involved. This is a key difference between RBAC and DAC.

RBAC Example

Case: Signalgate

Signal is a popular messaging app that is known for its strong encryption and privacy features. The app is consider secure, but the security depends on its users employing best practices. In March, 2025, United States Secretary of Defense Pete Hegseth added a journalist to a Signal group chat. In that chat, it is allege that sensitive (and possibly classified) information was shared. It is unclear if the journalist was intended to be part of the chat, or if he was added by mistake.

Because Secretary Hegseth was able to add the journalist to the chat, it is likely that the chat was set up using discretionary access control. In this case, the Secretary of Defense had the ability to add users to the chat at his discretion. This could lead to security risks if users are not careful about who they grant access to. Is discretionary access control the best method for this type of chat? Possibly.

Signal
Source: visuals6x - stock.adobe.com

Hypothetical Scenario

Imagine that the United States National Security Agency (NSA) received compelling intelligence that a foreign government had launched an attack on the United States. Within 30 minutes, bombs could be falling on United States soil. Here is what that scenario might look like using different access control methods:

  • Discretionary Access Control: The NSA Director could add the President of the United States to a chat with the Secretary of Defense and the Joint Chiefs of Staff. The President could then add the Vice President and other key members of the Cabinet. This would allow for rapid communication and decision-making in a crisis situation.
  • Mandatory Access Control: The NSA Director could create a chat in which only people with Top Secret clearance could participate. This would ensure that only authorized individuals had access to sensitive information. However, it could also slow down decision-making if the Director needed to wait for approval from a central authority before adding new members to the chat. For example, a a person with key information might lack the required clearance. The Director would need to wait for the person to be cleared before adding them to the chat. This could take time, and in a crisis situation, every second counts.
  • Role-Based Access Control: The NSA Director could create a chat in which only people in the "Major Crisis" security group could access. If anybody needed access to the chat, those people would need to be added to the "Major Crisis" security group. This could slow down decision-making in a crisis situation.

Of the three options, DAC gives the NSA Director the most flexibility. However, it also carries the most risk. The other methods require more planning and preparation, but they also provide a higher level of security. The NSA might choose to streamline the process of adding users to security groups or providing temporary clearances in a crisis situation. This would allow for rapid communication and decision-making while still maintaining a high level of security.

Reflection

  • If you were the president of a company, would used DAC or RBAC to manage access to sensitive information? Why?
  • What kind of training would you provide to employees before allowing them to use DAC?
  • What kind of approval processes would you put in place to approve group members in a RBAC system?

Key Terms

  • Authentication: The process of verifying the identity of a user or system before granting access to resources or information.
  • Authorization: The process of determining whether a user has permission to access a resource or perform an action.
  • Discretionary Access Control (DAC): A type of access control where the owner of a resource has the ability to determine who can access it. Users can grant or revoke access to their resources at their discretion.
  • Mandatory Access Control (MAC): A type of access control where access permissions are determined by a central authority based on the classification of the resource and the user's security clearance. Users cannot change access permissions; they can only access resources based on their assigned security level.
  • Role-Based Access Control (RBAC): A type of access control where access permissions are based on the user's role within the organization. Users are assigned to roles, and each role has specific access permissions associated with it.