What Is Access Control? Models, Types, and Best Practices
Learn what access control means in cybersecurity, the four main models (DAC, MAC, RBAC, ABAC), and how to implement effective access control policies.
Access control is one of those security concepts that sounds obvious until you realize how many breaches trace back to someone having permissions they shouldn't have had. We've covered broken access control as the top OWASP risk before, and the real-world examples keep piling up—from the 2025 Snowflake-related data thefts to routine ransomware incidents.
TL;DR
- What it is: Access control determines who can access which resources, under what conditions, and what they can do with them.
- Why it matters: Broken access control is the number one web application security risk, and misconfigured permissions are behind some of the largest breaches on record.
- Key takeaway: Choosing the right access control model—and actually enforcing least privilege—is far more effective than bolting on security tools after the fact.
What Is Access Control?
Access control is the practice of restricting who can view, use, or modify resources within a system. NIST defines it as "determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system." It covers both digital resources (files, databases, applications) and physical ones (buildings, server rooms, equipment).
In cybersecurity, access control operates through three core questions: Who are you? (authentication), What are you allowed to do? (authorization), and What did you do? (auditing). Get any of these wrong and you've got a problem.
The Four Main Access Control Models
Not all access control works the same way. The four models below represent different philosophies about how permissions should be assigned and enforced.
Discretionary Access Control (DAC)
DAC lets resource owners decide who gets access. If you've ever right-clicked a file on your computer and set sharing permissions, you've used DAC. Each object has an access control list (ACL) that the owner can modify.
Where it works: Small teams, personal devices, file-sharing scenarios where flexibility matters more than strict control.
Where it breaks down: DAC falls apart in larger organizations because there's no central oversight. Users can grant access to anyone, and permissions sprawl fast. It's a poor fit for environments handling sensitive data.
Mandatory Access Control (MAC)
MAC takes the opposite approach—a central authority assigns security labels to both users and resources, and the system enforces rules that nobody can override. A user with "Secret" clearance can't access "Top Secret" documents, period.
Where it works: Military and intelligence agencies, government classified networks, and any environment where data classification is rigid and non-negotiable.
Where it breaks down: MAC is inflexible by design. It's expensive to administer and too restrictive for most commercial environments. Few organizations outside of defense need this level of control.
Role-Based Access Control (RBAC)
RBAC assigns permissions to roles, not individuals. A "Finance Analyst" role might have read access to financial reports and write access to expense submissions, but nothing else. When someone joins the finance team, they get that role. When they leave, the role gets removed.
Where it works: Enterprises with clearly defined job functions, compliance-heavy industries (healthcare, finance), organizations managing hundreds or thousands of users.
Where it breaks down: Role explosion. Companies that start with 10 clean roles often end up with 500 as exceptions pile up. And RBAC can't easily handle context—it doesn't care whether someone is logging in from the office at 2 PM or from an unknown device in a foreign country at 3 AM.
Attribute-Based Access Control (ABAC)
ABAC evaluates attributes—user characteristics, resource properties, environmental conditions, and actions requested—against policies in real time. A policy might say: "Allow access to patient records if the user's role is Physician AND the patient is assigned to their department AND the request is coming from a hospital network during business hours."
Where it works: Complex environments needing fine-grained, context-aware decisions. Cloud platforms, healthcare systems, and organizations moving toward zero trust architecture.
Where it breaks down: ABAC policies can get complicated fast. Without careful management, you end up with a spaghetti pile of rules that nobody fully understands.
Physical vs. Logical Access Control
Access control isn't just a software problem. Physical access control—badge readers, biometric scanners, mantraps—protects the hardware and infrastructure that digital systems run on. Logical access control covers the software side: passwords, multi-factor authentication, API keys, and session management.
The best security programs tie these together. If someone's badge is deactivated because they left the company, their network accounts should be disabled simultaneously. Too many organizations treat physical and digital access as separate concerns, leaving gaps that attackers exploit.
How Access Control Fails
Understanding how access control breaks is just as important as knowing how it should work. The same patterns show up in breach reports year after year.
Excessive permissions are the most common culprit. Users accumulate access over time as they change roles but never lose old privileges. This "permission creep" means a former intern-turned-manager might still have access to development databases they touched once two years ago.
Shared and compromised credentials cause enormous damage. Teams sharing passwords for convenience makes attribution impossible and violates every compliance framework on the planet. The Fortinet authentication bypass we covered showed how a single compromised credential can cascade into full network access.
Missing MFA is another repeat offender. Passwords alone aren't enough—phishing attacks routinely harvest credentials, and without a second factor, stolen passwords grant immediate access. CISA's guidance consistently lists missing MFA as one of the most commonly exploited weaknesses.
Stale accounts round out the list. Former employees, abandoned service accounts, and test accounts that nobody bothered to disable are magnets for attackers because they're less likely to trigger alerts.
Best Practices for Access Control
Apply Least Privilege Everywhere
Give users the minimum access they need to do their jobs. NIST SP 800-53 makes least privilege a foundational control (AC-6), and for good reason—it limits the blast radius when an account gets compromised.
Implement Multi-Factor Authentication
MFA should cover all external-facing systems, VPN connections, privileged accounts, and any system touching sensitive data. Phishing-resistant methods (hardware security keys, passkeys) are worth the investment over SMS-based codes.
Conduct Regular Access Reviews
Quarterly reviews of who has access to what catch permission creep before it becomes a problem. Automated tools can flag accounts with excessive privileges or dormant access that should be revoked.
Adopt Zero Trust Principles
Zero trust—"never trust, always verify"—is the direction the industry is moving, and access control sits at its center. The U.S. government has pushed this hard, with initiatives like the Space Force's $212 million network modernization built around zero trust architecture. The core idea: verify identity and context on every request, regardless of network location.
Log and Monitor Access Events
Access logs are useless if nobody looks at them. Set up alerts for unusual patterns—logins from new locations, access outside business hours, bulk data downloads—and investigate anomalies quickly. For more on staying ahead of threats, check our hacking news coverage.
Frequently Asked Questions
What's the difference between authentication and access control? Authentication proves who you are (username + password, biometrics, MFA). Access control determines what you're allowed to do once your identity is confirmed. Authentication is a prerequisite—you can't enforce access rules on an unidentified user.
Which access control model is best for my organization? It depends on your size and complexity. Small businesses with simple structures can get by with RBAC. Larger enterprises handling sensitive data across multiple contexts should consider ABAC or a hybrid approach. Regulated industries (healthcare, defense, finance) should evaluate their compliance requirements first—they often dictate the model.
How does access control relate to zero trust? Zero trust treats access control as continuous rather than one-time. Instead of granting broad access after initial authentication, zero trust evaluates every request against policies that consider identity, device health, location, and behavior. ABAC and policy-based access control are the enforcement mechanisms that make zero trust work in practice.
Related Articles
What Is Red Teaming? Methodology, Tools, and Benefits
Red teaming tests your defenses by simulating real attacks. Learn how red team engagements work, the key phases, tools used, and how they differ from pen testing.
Feb 7, 2026What Is Phishing? Types of Attacks and How to Spot Them
Learn what phishing is, the different types of phishing attacks (email, SMS, voice), red flags to watch for, and how to protect yourself from scams.
Feb 2, 2026How to Become a Cybersecurity Analyst: Career Guide
How to become a cybersecurity analyst in 2026. Learn the skills, certifications, education paths, and salary expectations for breaking into this high-demand field.
Feb 13, 2026What Is MFA? Multi-Factor Authentication Explained
What is MFA? Learn how multi-factor authentication works, the three authentication factors, and why FIDO2 passkeys are the future of phishing-resistant security.
Feb 12, 2026