Skip to main content

Access Control Models - RBAC, ABAC, and ACL

About 2 min read

Access control is a mechanism for managing the scope within which users and systems can access resources (files, databases, network devices, and so on). It consists of two stages, "authentication" (verifying who you are) and "authorization" (determining what you can do), and is a concept that forms the foundation of zero trust security. As of 2025, the adoption of ABAC and PBAC (policy-based access control) is advancing, and dynamic, context-aware access decisions are becoming mainstream.

Real-World Use Cases

"When designing the IAM policies for a cloud migration project, we granted the development team full access to the staging environment and read-only permissions for the production environment, and restricted deployment to production to only go through the CI/CD pipeline. This design has significantly reduced the risk of human-caused production incidents."

Comparison of Access Control Models

ModelControl methodFlexibilityMain use
DAC (discretionary)Set by the ownerHighFile systems
MAC (mandatory)Label-basedLowMilitary and government agencies
RBAC (role)Tied to rolesMediumEnterprise IT systems
ABAC (attribute)Combination of attributesHighestCloud and zero trust

Major Access Control Models

DAC (discretionary access control) is a model in which the resource owner sets the permissions, with file system read and write permissions being a typical example. MAC (mandatory access control) is a model in which the system controls access based on security labels, and it is adopted by military and government agencies. RBAC (role-based access control) is a model that ties permissions to a user's role, and it is the most widely used in enterprise IT systems. ABAC (attribute-based access control) is the latest model, which makes decisions dynamically by combining attributes such as time of day, location, and device.books on access control design (Amazon) let you learn systematically.

Design Scenarios in Practice

For example, on an e-commerce site, a basic RBAC design is one in which general users can view only their own order history, customer support can only view customer information, and administrators can read and write all data. Following the principle of least privilege, you grant each role only the minimum necessary permissions. In cloud environments, IAM (Identity and Access Management) policies allow fine-grained control, letting you enforce rules such as "developers cannot write to the production database." Data breaches caused by misconfigured access controls on cloud storage occur frequently, so regular permission reviews are essential.

Operational Tips

Access control is not "set it and forget it"; periodic auditing is important. Failing to delete the accounts of departed employees and leaving unnecessary permissions in place after a transfer can become a foothold for privilege escalation attacks. Combine a sufficiently long random password with multi-factor authentication to strengthen authentication.books on cloud permission management (Amazon) are also helpful references.

Related Terms

Was this article helpful?

XHatena