The main models of access control are the following:
Mandatory access control (MAC): Using this model, multiple levels of security are used to regulate access rights. In government and military environments, classification is used to identify system resources and operating systems. Access to resource objects is granted or denied based on the information security clearance of the user or device. For example, Security-Enhanced Linux is an implementation of MAC on Linux.
Discretionary access control (DAC): Using this method, owners or administrators of protected systems, data or resources define who or what is authorized to access them. It is possible to limit the propagation of access rights in many of these systems. A common criticism of DAC systems is that they lack centralized control.
Role-based access control (RBAC): Access to computer resources is restricted based on groups or individuals with defined business functions using this access control mechanism. e.g., executive level, engineer level 1, etc. — rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations, and role permissions developed using role engineering to regulate employee access to systems. RBAC systems can be used to enforce MAC and DAC frameworks.
Rule-based access control: System administrators define access rules for resource objects in this security model. The rules are often based on conditions, such as the time of day or location. To enforce access policies and procedures, rule-based access control and RBAC are often used.