role based security

The average user interaction with an access control system usually goes something like this: “Hey! I have a smartphone with access credentials. I’m going to wave my smartphone at this black box near my office door. Look! The door magically unlocked!”

For IT and HR professionals, a user experience like this is music to their ears. It means, “No problems.”

But as we know, a lot more is happening behind the scenes.

IT and HR professionals must consider the different types of access control available. These include discretionary, mandatory, and role-based access control systems. The first step to choosing the correct system is understanding the property, business or organization itself. Assess the need for flexible credential assigning and security. Then, determine the organizational structure and the potential of future expansion. With these factors in mind, IT and HR professionals can properly choose from three types of access control.

Discretionary Access Control (DAC)

What is it?: Defined by the Trusted Computer System Evaluation Criteria (TCSEC), Discretionary Access Control is “a means of restricting access to objects (areas) based on the identity of subjects and/or groups (employees) to which they belong.

The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).”

Translation: If a user has access to an area, they have total control. Users can share those spaces with others who might not need access to the space.

Assigning Credentials: To begin, system administrators set user privileges. But users with the privileges can share them with users without the privileges. With DAC, users can issue access to other users without administrator involvement.

Real-World Example: Lazy Lilly, Administrative Assistant and professional slacker, is an end-user. She has access to the storage room with all the company snacks. She gives her colleague, Maple, the credentials. The problem is Maple is infamous for her sweet tooth and probably shouldn’t have these credentials. Goodbye company snacks.

Benefits: DAC systems are easier to manage than MAC systems (see below) they rely less on the administrators. Consequently, DAC systems provide more flexibility, and allow for quick changes.

Drawbacks: The end-user receives complete control to set security permissions. This inherently makes it less secure than other systems. Since the administrator does not control all object access, permissions may get set incorrectly (e.g., Lazy Lilly giving the permissions to everyone). Worst case scenario: a breach of information…or a depleted supply of company snacks.

Mandatory Access Control (MAC)

If Discretionary Access Control is the laissez-faire, every-user-shares-with-every-other-user model, Mandatory Access Control (MAC) is the strict, tie-suit-and-jacket wearing sibling.

What is it?: In a Mandatory Access Control system, an operating system provides users with access based on data confidentiality and levels of user clearance.

Translation: Mandatory Access Control is the strictest of all models. Access is granted on a strict, need-to-know  basis. Users must prove they need the requested information or access before gaining permission. Organizations requiring a high level of security, such as the military or government, typically employ MAC systems. These systems safeguard the most confidential data. Consequently, they require the greatest amount of administrative work and detailed planning.

Assigning Credentials: Administrators manually assign access to users, and the operating system enforces privileges . Upon implementation, a system administrator configures access policies and defines security permissions. Labels contain two pieces of information—classification (e.g., “top secret”) and category (e.g., “management”).

Real-World Example: Major Tuff needs to use a specialized facility for tomorrow’s training, but his credentials do not allow him access. The major must first request access. Then, Tuff’s superiors must sign off on the request. Finally, an administrator must manually change his credentials—all before tomorrow. Talk about a “major tough” situation.

Benefits: MAC offers a high level of data protection and security in an access control system. Administrators set everything manually. Further, these systems are immune to Trojan Horse attacks since users can’t declassify data or share access.

Drawbacks: Regular users can’t alter security attributes even for data they’ve created, which may feel like the proverbial double-edged sword. Not having permission to alter security attributes, even those they have created, minimizes the risk of data sharing. Therefore, provisioning the wrong person is unlikely. However, making a legitimate change is complex. Making a change will require more time and labor from administrators than a DAC system. MAC does not scale automatically, meaning that if a company expands more manual work will be necessary.

Role-Based Access Control (RBAC)

What is it?: Role-Based Access Control is one of the most popular types of access control. It’s designed for the separation of duties within an organization.

Role-based systems are often found in commercial real estate properties and both large and small companies. Additionally, they often incorporate the Principle of Least Privilege (POLP).

Translation: Like MAC systems, Role-Based access control permissions are assigned based on employee position within the organization. Also, RBAC access control is one of the most widely used systems among enterprises of 500 or more people.

Assigning Credentials: System Administrators assign access privileges based on a job rather than to a specific person.

Real-World Example: At the fictional enterprise Smiley Faces 4 U, marketing strategist Sandy Evergrin needs access to the company suite and her office. Whereas, Office Manager Wanda Smiley’s position calls for access to all areas of the suite. The credentials each receives is based upon the need of their roles.

Benefits: Companies can easily control each users’ access. Strong privacy and confidentiality protocols may be implemented. If a company grows or shrinks, HR and IT departments can easily adjust permissions.

Drawbacks: Companies using RBAC may experience “Role Explosion.” When an increase in hiring occurs and new positions are formed, administrators increase the same number of RBAC roles. The problem arises when trying to manage the sheer number of these roles.

Have more questions about discretionary, mandatory, and role-based access control? Schedule a demo to learn more.

Subscribe to our blog!

Get the latest news, product updates, and other property tech trends automatically in your inbox.