Which of the following access control models is most restrictive?

There are many different types of access control systems and identifying which is best for your business is ideal. Access control is important for sensitive areas of a building, where only authorized individuals are permitted. Therefore, the installation of a commercial access control system is vital to control security in such areas and minimizes the risk of unauthorized activity in your business.

Access Control Models 

The term “access control” describes granting access in or out of any restricted area. It is basically identifying a person, authenticating them by their unique identification and giving that person access to the required area or asset. The basics of an access control system include creating an entry record in the system every time a person uses a keycard, fob, or biometric scanner. This makes it easy to track movement in and out of the premises. The differences in the types of systems come into play with the management style of a chosen access system and how you determine which individuals have certain access permissions.  This guide breaks down 10 access control user permission management types to help you get started.  

10 Types of Access Control Permission Management Models

Mandatory Access Control (MAC)

Mandatory Access Control is typically considered the most restrictive type of access control. All doors are controlled by settings created by system administrators. In this system, users cannot change permissions that deny or allow them entry to different rooms in the facility, thus ensuring the security of sensitive documents and data. The system also restricts an area or resource owner’s ability to deny or grant access to resources listed in a file system. All end users are classified and provided with labels that allow them to gain access only under the established security guidelines. For example, security clearance of users and classification of data (as confidential, secret or top secret) are used as security labels to define the level of trust. It limits the access to resources based on the sensitivity of the information that the resource contains and the authorization of the user to access information with that level of sensitivity. It is commonly used by government entities and the military because of the emphasis on consistent classification and confidentiality of the data. Mandatory Access Control is often seen as the opposite of the next type of access control management, Discretionary Access Control.

Discretionary Access Control (DAC)

Discretionary Access Control allows business owners to decide on who can access which areas of the premises or resources. The data owner has full control over all the programs and files in their system and determines who can access specific resources. Therefore they are responsible for deciding the people that can enter a certain location, digitally or physically. For example, a system administrator may create a hierarchy of files to be accessed based on certain permissions. User authentication is based on supplied credentials, such as username and password. This type of access management then offers selective restriction by ensuring that users who access the system have permission to view the company’s data. 

DAC is easy to implement and intuitive but may not be the best system due to some of its disadvantages. One disadvantage is that the end-user has complete control to set security level settings for other users and which limits negative authorization oversight. Plus, this system requires more active management to revoke and grant permissions than a rigid system. DAC is often seen as the opposite of its more structured and rigid counterpart, MAC.

Role-Based Access Control (RBAC)

Role-Based Access Control is designed to allow or restrict access based on specific roles with outlined business responsibilities as opposed to an individual user. An employee’s role in an organization determines the permissions that the individual is granted and ensures that lower-level employees can’t access sensitive information or perform high-level tasks. RBAC is the most common form of managing user permissions. This method is designed using access rights that are built on variable attributes, such as resource needs, job, environment, location, and more.

This makes it simple for owners to manage users in groups based on their role or position, rather than assigning permissions to each specific individual. RBAC largely eliminates discretion when providing access to objects. For example, a human resources specialist should not have permissions to create network accounts; this should be a role reserved for network administrators. Companies largely depend on this model to secure their sensitive data and critical applications Improve operational efficiency, enhance compliance, giving administrators increased visibility, reducing cost, and decreasing risk of breaches and data leakage. Role-based security is a flexible and secure method for managing user permissions.

Rule-Based Access Control

In this type of system management, access permissions are based on structured rules and policies. This method is largely context-based with access granted or denied based on a set of rules defined by a system administrator. When an account or group attempts to access a resource, the operating system checks the rules contained in the access control list for that object.

Although rule-based control access is simple to understand, it is often combined with role-based access control to better enforce procedures and policies. For example, by classifying a role and rules, it allows administrators to set permissions allowing students to go to the lab at a certain time of the day.

Attribute Access Control

This type of management is also known as policy-based control, as it gives different dynamic and risk-intelligent control based on specific attributes of a user. Attributes are used as building-blocks that describe access requests and define access control. Then, set policies can use any of these attributes; object attributes, resource attributes, environmental or user attributes to determine if a user should have access.

While inspired by role-based access control, it is an advanced way to determine access using attributes such as group, department, employee status, citizenship, position, device type, IP address, or any other factors. These attributes can also be obtained and imported from a database, Salesforce, LDAP server, or even from a business partner – helping it work with larger business functions. 

Identity-Based Access Control (IBAC)

IBAC is a simplified security method that dictates whether the person using is permitted or denied to a given electronic resource based on their individual visual or biometric identity. Therefore, a user will be permitted or denied access to an electronic resource based on if their identity can be matched with a name that appears on an access control list. Using this, network administrators can more effectively manage activity and access based on individual needs. Some of the advantages of the identity-based security approach include he ability to exercise very fine-grained control over twho can use which services, and which functions those individuals are actively performing. Also, there is the benefit of being able to enforce access control policy across a variety of devices, such as smartphones, tablets, and PCs.

History-Based Access Control (HBAC)

The decisions made by this access control management system are based fundamentally on past security actions. Historical activities of the user determine whether or not he or she is going to be granted access. This requires real-time evaluation of the user’s history of activities, such as the time between requests, the content of requests, which doors have been recently opened, etc. As an example, access to a certain service or data source can be granted or declined on the user’s past behavior, e.g. the request interval exceeds one query per second. 

Organizational-Based Access Control (OBAC)

OBAC helps when evaluating the security policies and permissions of larger entities with multiple users, such as third-party companies. This method grants a high degree of scalability and expressiveness. Each security policy is defined by and for an organization within the larger system. Thus, the specification of the security policy is completely parameterized by the organization so that it is possible to handle simultaneously several security policies associated with different organizations. 

Responsibility Access Control 

Responsibility-based systems limit entry or access based on their responsibilities in an organization. Employees can only access information that is necessary for them to carry out their official duties. Factors such as responsibility, job competence and authority are used to determine who is responsible enough to have access to certain information. This ensures that low- level employees, do not access sensitive data of a business that may be used against the company.

Features For Different Types of Access Control Systems



It is the best solution when it comes to securing your facility, providing a much higher level of security, unlimited scalability, minimal effort, greater convenience and maintain simplicity. The access permissions are stored, managed and processed on a network of remote servers hosted on the Internet, rather than on local servers or personal computers. Cloud-based access storage allows an administrator to manage the permissions from anywhere and anytime, simply by using a browser. Unlike other access control types or models, which consume a lot of resources, CBAC saves internal resources and offers subscriptions that can increase your company’s bottom line.



It offer a level of security and control that’s simply not possible in the cloud. Business can control, manage and handle the data by their own dedicated employee or IT staff. The access permissions are implemented on local servers or personal computers, that are managed daily by the internal security, IT personnel, or both. These access control software platforms needs regular maintenance to ensure proper functioning. There is no doubt that the traditional OOAC is proven to be a  highly effective physical security solution all over the world.



It is the use of mobile device like smartphone, tablet or wearable to gain access to doors, gates, networks, services and more. Mobile-First is growing in demand globally making MBAC the most essential component to secure different businesses.



IoT devices play a crucial role in helping organizations to compete in today’s digital marketplace, therefore IoT presents a unique set of access control challenges due to low power requirements of IoT devices, low bandwidth between IoT devices and the Internet, distributed nature of the system, ad-hoc networks, and the potential need for extremely large number of IoT devices. This model connects all the door readers to the internet and have firmware that can be updated whether for security reasons or to add new functionality. On a high level, there are two ways to implement access control for IoT.



The user accesses only cloud-based servers that authorize the request and relay data between the user and the IoT devices.



An access control server grants access tokens to users, who use them to access the IoT devices directly.

License Plate Recognition Vs. License Plate Cameras

by Thomas Carnevale | 05/02/2021 | Blog | 0 Comments

In the process of designing video surveillance systems – our clients are always telling us they need license plate camera recognition at their front entrance, but what they usually mean is license plate capturing. License plate camera capturing is the process of...