Authorization Models: RBAC, ABAC, MAC, DAC, and Least Privilege
Key Takeaways
- Authorization decides what an authenticated subject can access; it is separate from login success.
- RBAC assigns permissions through roles, while ABAC uses attributes such as department, device, time, and data label.
- MAC is centrally enforced with labels and clearances; DAC lets owners grant access.
- Least privilege, need-to-know, separation of duties, and just-in-time access reduce blast radius.
- Permission creep is a common scenario clue after transfers, projects, and emergency access.
Authorization Models and Least Privilege
Authentication says the user is who they claim to be. Authorization says what that user can do. A user can authenticate correctly and still be blocked because the requested action is outside policy.
| Model | How access is decided | Best clue |
|---|---|---|
| RBAC | Permissions come from job roles or groups | Analyst role, payroll role, admin role |
| ABAC | Policy evaluates attributes | User department, data label, device health, location, time |
| MAC | Central authority enforces labels and clearances | Secret data, clearance level, mandatory label |
| DAC | Resource owner grants permissions | File owner shares a folder |
| Rule-based access | Access follows explicit rules | Firewall ACL, time-of-day rule |
Least Privilege Family
| Principle | Meaning | Scenario clue |
|---|---|---|
| Least privilege | Grant only the access required | Read-only access for reporting |
| Need-to-know | Access only when the business need exists | Investigator can view only assigned cases |
| Separation of duties | Split sensitive tasks across people | One person requests payment, another approves |
| Just-in-time access | Grant elevated rights briefly | Admin access expires after change window |
| Privileged access management | Control and monitor powerful accounts | Checkout, approval, vaulting, session recording |
Choosing the Model
RBAC is efficient when access maps cleanly to jobs. ABAC is more flexible when decisions depend on context. MAC is strict and centrally controlled, often associated with sensitivity labels. DAC is flexible but can become messy because owners can share access.
| Scenario | Best fit | Reason |
|---|---|---|
| All help desk users need the same ticket permissions | RBAC | Role maps to job function |
| Payroll files allow access only from managed devices during business hours | ABAC | Multiple attributes drive the decision |
| Classified file requires a clearance label match | MAC | Central labels and clearances control access |
| Project owner grants read access to a shared document | DAC | Owner decides who can access |
Trap Callout: Admin Convenience Is Not Least Privilege
If a user needs to restart one service, local administrator access to the whole server is excessive. Prefer a narrowly scoped permission, delegated admin task, service management role, or just-in-time privileged session.
Scenario Walkthrough
A developer is temporarily assigned to investigate a production issue. The weak answer is to add the developer permanently to the production admin group. A stronger answer is time-limited access through privileged access management, approval, MFA, session logging, and automatic removal after the work is complete.
Quick Drill
| Clue | Answer |
|---|---|
| Access follows the job title | RBAC |
| Access depends on user role, data classification, device posture, and time | ABAC |
| Data owner shares access with a coworker | DAC |
| Labels and clearances decide access | MAC |
| Old access remains after transfer | Permission creep |
A policy allows finance employees to access payroll only from managed laptops, only during business hours, and only when the data is labeled internal. Which model is most directly represented?
A file owner grants another user read access to a folder. Which authorization model is this?
A system administrator needs elevated access for a two-hour maintenance window. Which option best supports least privilege?