Authorization Models: RBAC, ABAC, MAC, DAC, and Least Privilege
Key Takeaways
- Authorization decides what an authenticated subject may access; it is separate from a successful login.
- RBAC grants permissions through roles/groups; ABAC evaluates attributes such as department, device, time, and data label.
- MAC is centrally enforced with labels and clearances; DAC lets the resource owner grant access at their discretion.
- Least privilege, need-to-know, separation of duties, and just-in-time access shrink the blast radius of a breach.
- Permission creep is the classic scenario clue after transfers, projects, and emergency access that was never removed.
Authentication Ends, Authorization Begins
Authentication says the user is who they claim to be. Authorization says what that proven user may do. A subject can authenticate perfectly and still be denied because the requested action falls outside policy. SY0-701 tests four core access-control models plus rule-based access, and you must map a scenario's wording to the right one.
| Model | How access is decided | Best clue word |
|---|---|---|
| RBAC (Role-Based) | Permissions come from job roles or groups | analyst role, payroll role, admin role |
| ABAC (Attribute-Based) | A policy engine evaluates multiple attributes | department, data label, device health, location, time |
| MAC (Mandatory) | A central authority enforces labels and clearances | classified, clearance level, mandatory label |
| DAC (Discretionary) | The resource owner grants access | file owner shares a folder |
| Rule-Based | Access follows explicit, predefined rules | firewall ACL, time-of-day rule |
A frequent trap: RBAC and rule-based both abbreviate awkwardly, but RBAC ties to roles while rule-based ties to conditions like an ACL. MAC is the strict, non-negotiable model associated with government clearances; the owner cannot override the label.
The Least-Privilege Family
Least privilege is the umbrella; the exam expects you to distinguish its relatives.
| Principle | Meaning | Scenario clue |
|---|---|---|
| Least privilege | Grant only the access required for the task | read-only access for reporting |
| Need-to-know | Access only when a specific business need exists | investigator sees only assigned cases |
| Separation of duties (SoD) | Split a sensitive task across people | one requests payment, another approves |
| Just-in-time (JIT) access | Grant elevated rights only briefly | admin rights expire after the change window |
| Privileged Access Management (PAM) | Control and monitor powerful accounts | credential checkout, vaulting, session recording |
Separation of duties prevents one person from completing a fraud end-to-end; dual control and mandatory vacations support it by forcing a second pair of eyes. Need-to-know is narrower than least privilege: you may have a clearance level yet still be denied a specific file because you have no business reason to see it.
Choosing the Right Model
Match the wording precisely. RBAC is efficient when access maps cleanly to a job. ABAC is flexible when the decision depends on context and combines several signals. MAC is rigid and label-driven. DAC is flexible but sprawls because owners share freely.
| Scenario | Best fit | Reason |
|---|---|---|
| All help desk staff need identical ticket permissions | RBAC | One role maps to the job function |
| Payroll files reachable only from managed devices, in business hours, when labeled internal | ABAC | Several attributes drive one decision |
| A classified file requires a matching clearance label | MAC | Central labels and clearances control access |
| A project owner shares read access to a document | DAC | The owner chooses who gets in |
| Inbound traffic blocked unless a port rule allows it | Rule-based | A predefined condition decides |
The ABAC tell is multiple attributes in one sentence (role and device and time and label). If you only see a single job title driving access, it is RBAC.
Trap Callout: Admin Convenience Is Not Least Privilege
If a user must restart one service, full local administrator on the whole server is excessive. Prefer a narrowly scoped permission, a delegated service-management role, or a JIT privileged session that expires.
Permission Creep, Zero Trust, and a Scenario
Permission creep (privilege creep) is the steady accumulation of rights a user no longer needs after transfers, projects, and emergency grants. The countermeasure is periodic access recertification plus automated deprovisioning. This concept underpins Zero Trust, which assumes no implicit trust and re-checks the policy on every request rather than once at login.
Scenario Walkthrough
A developer is temporarily pulled in to investigate a production outage. The weak answer adds them permanently to the production admin group. The strong answer grants time-limited access through PAM with approval, MFA, session logging, and automatic removal when the work ends, satisfying least privilege and leaving an audit trail.
Quick Drill
| Clue | Answer |
|---|---|
| Access follows the job title only | RBAC |
| Access depends on role, classification, device posture, and time | ABAC |
| Data owner shares access with a coworker | DAC |
| Labels and clearances decide access | MAC |
| Old access lingers after a transfer | Permission creep |
| Elevated rights expire after a change window | JIT access |
| One person cannot both create and approve a payment | Separation of duties |
| Cleared user still denied a file with no business reason | Need-to-know |
A closing nuance the exam likes: implicit deny is the safe default that should sit at the end of any rule set, so anything not explicitly permitted is blocked. Pair that with least privilege and recertification and you cover the three concepts examiners most often combine in a single authorization scenario.
A policy allows finance employees to open payroll only from managed laptops, only during business hours, and only when the data is labeled internal. Which model is most directly represented?
A document's owner personally grants another user read access to a folder they created. Which authorization model is this?
An administrator needs elevated rights for a two-hour maintenance window. Which option best supports least privilege?
Six months after transferring departments, a user still holds permissions from three previous roles that no one removed. What is this condition called, and what fixes it?