Security Models

Programmatic Access Control

Uses a matrix of user privileges (e.g. which "tag" or role has what permissions) and access controls are applied with reference to this matrix. This approach can be highly granular and can include roles or groups or individual users, collections or workflows of processes.

Discretionary Access Control (DAC)

The owner has full control over who can access the resource and what level of access. Access control decisions are made based on the identity of the user and/or group and the permissions assigned to them.

Mandatory Access Control (MAC)

The owner does not have full control over the access of its resources, and thus they can't grant or deny access to resources. A classification level is assigned to both the users and resources. Common classifications include confidential, secret and top secret, with top secret being the highest classification level. Users or devices with a low classification will not be able to access resources higher than its classification. For example, users with secret label will only be access resources labeled as confidential and secret but not top secret.

Role-based Access Control (RBAC)

Different levels of access permissions are assigned to various roles. Users and groups are assigned these roles and obtain the permissions to perform permitted actions. Users and groups are not limited to a single role. RBAC is most effective when there are sufficient roles to properly invoke access controls but not so many as to make the model excessively complex and unwieldy to manage.