An access control model is a standardised specification of how to configure and implement access controls.
Access control models provide reusable specifications for access control systems that are tailored to meet the requirements of different use cases.
There are four basic access control models:
Mandatory Access Control
Entitlements are pre-defined by administrators – Owners or custodians of a resources. Users can only access resources accordingly.
Discretionary Access Control
Users entitled to resources are given the ability to dynamically share those resources with other users.
Role-Based Access Control
Rights are assigned to account holders based on pre-defined roles within an organisation.
Rule-Based Access Control
Rights are assigned according to rules that are derived from the value of identity attributes, or data used in an authentication session such as IP addresses and network domains.
Access Control Models can include variations on these basic patterns. For example, Location-Based Access Control, and Time-Based Access Control are variations of the Rule Based Access Control model. Likewise, the Biba and Bell-LaPadula security models provide alternative way to implement Mandatory Access Control.
Organisations should develop and promulgate the range of approved access control models that best fit their needs.
Access control models are not mutually exclusive. Organisations in general, and information systems in particular, may deploy a mix of different models to meet different needs.
Access control models are a business object produced by Access Management and used as an input by Entitlement Management.
Access control models are an important aid to good identity governance because they link system configuration choices to business requirements and policies.