Episode 73: Authorization Techniques: RBAC, ABAC, MAC, DAC
Welcome to The Bare Metal Cyber CISSP Prepcast. This series helps you prepare for the ISC squared CISSP exam with focused explanations and practical context.
Today we turn our attention to authorization techniques—a foundational topic for both the CISSP exam and for real-world cybersecurity implementation. Authorization defines what a user, system, or process is allowed to do after it has successfully authenticated. While authentication confirms identity, authorization is what determines access. Who can read a file? Who can run a command? Who can approve a transaction? That’s what authorization decides.
Getting authorization right is essential for security. It supports the principle of least privilege, enforces accountability, and reduces the risk of insider threats or accidental data exposure. This episode focuses on four major authorization models: Role-Based Access Control, Attribute-Based Access Control, Mandatory Access Control, and Discretionary Access Control. You’ll need to understand the purpose, structure, advantages, and limitations of each for the CISSP exam—and for building robust access control systems.
Let’s start with Role-Based Access Control, commonly abbreviated as RBAC. In an RBAC model, users are assigned to roles, and roles are assigned permissions. For example, a user in the “HR_Manager” role might have permission to read employee files, update benefits, and generate reports. Instead of assigning permissions to individual users one by one, you define a role once, assign permissions to that role, and then place users into that role.
RBAC simplifies administration, reduces errors, and scales well in large environments. It also supports the least privilege principle, because users only get the permissions defined for their roles—nothing more, nothing less. In fact, the CISSP exam may include questions where the best way to enforce least privilege and minimize administrative complexity is through role-based access control.
There are different types of RBAC models. Core RBAC is the basic structure. Hierarchical RBAC allows roles to inherit permissions from other roles. And constrained RBAC enforces separation of duties, ensuring that one user cannot occupy conflicting roles. For example, someone with the “Invoice_Creation” role might be prevented from also holding the “Payment_Approval” role.
Next, we move to Attribute-Based Access Control, or ABAC. ABAC is a more flexible and context-aware approach to authorization. Instead of relying solely on roles, ABAC considers attributes—which can be properties of the user, the resource, the environment, or even the action. For instance, a user might be granted access to a file only if they’re in the “Marketing” department, located in the “US region,” and accessing the resource during business hours.
ABAC systems evaluate these attributes at the time of the access request using defined policies. This makes ABAC dynamic and granular, supporting fine-tuned decisions that adapt to real-world conditions. That’s why ABAC is commonly used in cloud environments, where static roles may not be sufficient to manage access across dynamic resources and identities.
Of course, with that flexibility comes complexity. ABAC policies can become difficult to manage if not well organized. CISSP candidates should remember that ABAC is ideal for scenarios requiring context-aware, scalable, and dynamic access decisions, such as federated environments or systems with fluctuating user attributes.
Let’s pause briefly and connect you to additional resources. For more information on CISSP certification and other valuable cybersecurity education tools, visit cyberauthor dot me. You’ll find best-selling books, study guides, and practical tools tailored specifically for cybersecurity professionals preparing for certification and leadership roles.
Now let’s talk about Mandatory Access Control, or MAC. This is a highly structured, centrally enforced authorization model typically used in government, military, and high-security environments. In MAC, access decisions are based on classifications. Users are assigned security clearances—such as confidential, secret, or top secret—and resources are labeled with sensitivity levels.
With MAC, users cannot change permissions. Only system administrators, often using predefined security policies, can determine who can access what. This is what makes MAC mandatory—the control is enforced by the system, not the user or even the resource owner.
MAC implements models such as Bell-LaPadula for confidentiality and Biba for integrity. For example, a Bell-LaPadula system might allow a user to read a document at their clearance level or lower, but not higher—this is the classic "no read up, no write down" policy.
The biggest strength of MAC is its rigor. It enforces strict policy compliance and resists tampering or user error. The downside is its inflexibility—it can be difficult to manage in commercial environments that need agility. But for the CISSP exam, remember that MAC is best suited for scenarios requiring centralized control, strong data classification, and strict policy enforcement.
On the opposite end of the spectrum is Discretionary Access Control, or DAC. DAC is a more flexible, user-centric approach. It allows the owner of a resource—like a file or folder—to determine who else can access it. If Alice creates a document, she can grant Bob permission to read or modify it. This is how most desktop operating systems like Windows and macOS implement access control.
DAC is common in collaborative environments, creative workflows, and personal file systems. It supports productivity and autonomy, but it can also increase risk. If users grant access carelessly or fail to update permissions over time, it can lead to privilege creep or data leakage.
Effective DAC management includes policies, education, and monitoring. For example, enforcing default-deny settings, using group permissions, and requiring reviews of access logs. CISSP candidates should remember that DAC is user-driven, and while flexible, it may not be appropriate for highly sensitive environments without additional safeguards.
Let’s now summarize how these four models stack up. RBAC is efficient, consistent, and great for organizations with well-defined job roles. ABAC is powerful and adaptive, ideal for complex environments requiring contextual access decisions. MAC is rigid but highly secure, best suited for classified or regulated data. DAC is flexible and user-friendly but demands oversight to prevent abuse or errors.
In real-world implementations, you’ll often see combinations of these models. For instance, an RBAC system may incorporate ABAC-like attributes for specific exceptions, or a DAC-based system may overlay RBAC templates for shared folders.
For the CISSP exam, be prepared to analyze scenarios. You may get a question asking which access control method best enforces least privilege in a dynamic cloud application. Or which model best prevents data leakage in a top-secret environment. Or how to limit user-granted permissions in a file-sharing platform.
When preparing your answer, consider who makes the decision, how access is enforced, and how well the model fits the risk profile.
As we wrap up, remember that authorization techniques are not just technical decisions—they reflect policy, governance, user behavior, and risk tolerance. Building a secure access control system means selecting the right model, implementing it consistently, monitoring it continuously, and adjusting it as your organization evolves.
Thanks for joining us for this episode of The Bare Metal Cyber CISSP Prepcast. For more episodes, tools, and study support, visit us at bare metal cyber dot com.
