Access Control Models and Principles

To allow users to access all data in the system

To restrict all users from accessing any data

To ensure users have only the permissions necessary for their job

To provide users with administrator access by default

The IT support team

The individual user

The data owner

The system administrator

Permissions are based on job roles

The data creator controls access

Access is determined by system-enforced rules

Permissions are assigned based on attributes

It is based on job roles

It requires administrator intervention for every access request

It uses system-enforced rules

It relies on individual users to set security controls

Through system-enforced rules

By evaluating multiple criteria

By the data creator's discretion

Based on the user's job function

To allow users to set their own permissions

To create groups and assign permissions to these groups

To assign permissions directly to each user

To enforce rules based on attributes

It evaluates multiple criteria for access

It is based on job roles

It allows users to control their own access

It uses system-enforced rules for access decisions

Discretionary Access Control

Role-Based Access Control

Attribute-Based Access Control

Mandatory Access Control

It relies on the data creator for access decisions

It uses a single criterion for access

It combines multiple criteria for access decisions

It is based solely on job roles

Mandatory Access Control

Rule-Based Access Control

Role-Based Access Control

Discretionary Access Control