The 21st century has brought change to all aspects of business. One important aspect is security. In the past, traditional methods such as using a guard to prohibit unwanted people from entering sensitive areas of the company with sensitive information would work quite well. Nowadays due to the widespread use of the internet, there is a great need to incorporate new security measures. This article explains the different types of access control. Before we start explaining the different access control types, let us first define the term access control.

What is Access Control

Access control is the process of identifying a person and determining their level of security access to either electronic systems or physical sites based on the policies and procedures set by the organization.


Types of Access control

The access control type to be chosen must be based upon the type and sensitivity of the data that the organization is processing. Older access models are the discretionary access control, and mandatory access control. The role based access control model is the most common model today, and the most recent model is known as the attribute based access control.

1.      Discretionary Access Control (DAC)

In this access control type, the data owner decides on access. It is a means of assigning access rights based on the rules specified by the users. This is suitable for small premises with one, or two doors. It allows and individual complete control over any objects they own. Of all the models that are available, this is the least restrictive.

An example is lending the user a key card, or telling the user a pre-determined code. This model is therefore unsuitable for large premises and premises that protect sensitive information where there is a need for the levels of access to be delegated and/or monitored.

2.      Mandatory Access Control (MAC)

This is an access control type that was developed using a non-discretionary model. In this model, users are granted access based on information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority, typically the administrator. The users are then granted a status which allows them to gain entry through some points of access but not others. This is based on the established security guidelines.

Since this system gives individual labels to each end user, this system is best utilised in premises with a small number of employees. In addition, premises with a low employee turnover will be best suited for this. This is because any new employee will need to be individually assigned access to each secured area, relative to their position in the company.

3.      Role Based Access Control (RBAC)

This is the most sought after type of access control type in businesses. With a RBAC system, the access is determined by a system administrator. It is based upon the role of the end user within the business. This therefore means that access privileges are defined by the limitations of their job responsibility.

This means that, for instance instead of assigning an individual as a security manager, and granting access to them based on each secured area that is relevant to them, the security manager position will already have access control permissions assigned to it.

This means that instead of the system administrator assigning permission to multiple individuals, they only need to assign permissions to specific job titles.

The RBAC system is best utilised in large organisations that require extensive security.

4.      Attribute Based Access Control (ABAC)

In the ABAC access control type, each resource and user are designed with a set of attributes. In this dynamic method, a comparative assessment of the user’s attributes, including the time of day, position and location are used to make a decision on access to a resource.

It is very important for organizations to decide which type of access control is most appropriate for them based on the data sensitivity present, as well as the operational requirements for the data access. Organisations that process personally identifiable information or other sensitive types of information such as the Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI) data, must make access control a core capability in their security architecture.


Access Control Components

The main components that are usually present in the various access control types are:

Authorisation and Authentication

1.      Authentication

This is a technique that is used to verify if someone is who they say they are. An example of authentication is a staff identification card. This can be used to check whether the person is who they say they are as the name and picture will correspond to the name and picture present in the database.

2.      Authorisation

Authorisation is another technique that adds an additional layer to authentication. In this technique, it is determined whether the user should be allowed to access the data or make the transaction that they are attempting to perform.

Without authentication, and authorization, there is no data security. Data security is very important as organizations make use of the internet. The data in the organization is valuable to someone who does not have access to it.

An example of this is how some botnet named Smominru mined sensitive information including internal IP addresses, domain information, usernames and their passwords. Cyber criminals then sell credentials on places called access market places, and one access market place called the Ultimate Anonymity Services (UAS) offers 35,000 credentials with an astounding average selling price of $6.75 per credential. This market is highly lucrative.


Access Control Methods

1.      Administrative Access Control

The administrator is the one who sets the access control policies and procedures for the whole organization, defines the implementation requirements of both physical and technical access control as well as the consequences of breaching the set rules.

2.      Physical Access Control

This involves using physical methods such as fences, gates, doors, turnstiles, locks, biometrics, motion detectors, and security guards to allow access to certain areas.

3.      Technical Access Control, or Logical Access Control

This limits connections to computer networks, data, as well as system files. It enforces restrictions on operating systems, encryption mechanisms, etc.



This article gave the definition of Access Control. It explored the various types of access control. We hope you now understand each type of access control, and know the importance of access control systems.