Back to Blog
CISM Tips

Access Control Models Explained: DAC, MAC, RBAC, and ABAC for Certification Exams

TKFebruary 12, 2026security, exam-prep

Access control is a fundamental security concept tested across all ISACA certifications. Understanding the four main models is essential.

The Four Access Control Models

1. Discretionary Access Control (DAC)

How it works: The resource owner decides who gets access.

Example: In Windows, you create a file and choose which users or groups can read, write, or execute it.

Characteristics:

Owner-controlled — most flexible
Common in desktops and file shares
Least secure model — users can share access freely
Used in most operating systems by default

Weakness: A user with access can grant it to others, potentially violating security policies.

2. Mandatory Access Control (MAC)

How it works: The system enforces access based on security labels (classifications). Users cannot change permissions.

Example: Military systems where documents are classified as Confidential, Secret, or Top Secret. Users with "Secret" clearance can access Secret and Confidential, but not Top Secret.

Characteristics:

System-enforced — most restrictive
Used in government and military environments
Based on the Bell-LaPadula model (no read up, no write down)
Users cannot override or share access

Key models:

Bell-LaPadula: Focuses on confidentiality (no read up, no write down)
Biba: Focuses on integrity (no read down, no write up)
Clark-Wilson: Commercial integrity model using well-formed transactions

3. Role-Based Access Control (RBAC)

How it works: Access is assigned to roles, and users are assigned to roles. Users inherit the permissions of their role.

Example: A "Finance Manager" role has access to accounting systems, budgets, and financial reports. Anyone assigned to that role automatically gets those permissions.

Characteristics:

Most widely used in enterprise environments
Simplifies administration (manage roles, not individual permissions)
Supports segregation of duties
Principle of least privilege through role design

Best practice: Define roles based on job functions, not individuals. Review role assignments regularly.

4. Attribute-Based Access Control (ABAC)

How it works: Access decisions based on attributes (user attributes, resource attributes, environmental conditions).

Example: "Allow access to financial reports IF user department = Finance AND time = business hours AND location = corporate network."

Characteristics:

Most granular and flexible
Policy-based decisions using multiple attributes
Can implement complex access rules
Used in cloud environments and zero-trust architectures

Comparison Table

How These Appear on Exams

CISA Questions

"What access control model is MOST appropriate for a classified military system?" → MAC
"What is the BEST approach for managing access in a large enterprise?" → RBAC

CISM Questions

"Which model supports the principle of least privilege most effectively?" → RBAC
"What access control approach is BEST for a zero-trust architecture?" → ABAC

CRISC Questions

"Which model presents the GREATEST risk of unauthorized access sharing?" → DAC
"What compensating control addresses DAC weaknesses?" → Access logging and review

Deep dive into access controls and security concepts with our CISM and CISA courses.

Share this article:

Comments

Sign in to join the discussion

Sign In to Comment

No comments yet. Be the first to share your thoughts!

Ready to start your certification journey?

Explore our courses and take the first step toward passing your exam.

Browse Courses