Trusted by 100,000+ organizations globally
While strong, versatile and adaptive physical security strategies will always be a top priority for business and property owners, a balance must be achieved with policies able to prevent potential intrusion events that don’t hinder employees from accessing essential resources.
Reliable and effective access control systems will be deployed with adaptability in mind, making use of intelligently designed methodologies intended to grant varying degrees of access to relevant employees, residents and visitors based upon a predetermined and informed ruleset.
This is the concept behind access control models: systems that allow admins or system administrators to better manage user permissions and grant property access based on measurable criteria such as time, company role and security clearance. This guide will detail the most commonly implemented variations of access control model, as well as describe use cases, system benefits, best practices and unique user considerations.
Before describing the operation of each access control method in detail, it’s important that business and property owners gain a clear understanding of what access control actually entails. When security teams discuss the use of access control methods, they are likely referring to these factors:
Alongside systems used to secure building entry points and physical spaces, access control can also be deployed as a digital security measure. In these configurations, access control methods can be used to:
Most access control methods can be categorized using one (or more) of these five models or access control lists:
These access control models describe the way in which an installed security system is instructed to operate, including the parameters that must be met to grant building, room or elevator access, the way that unique user permissions are understood and the ruleset used to inform wider security policies.
Choosing the most appropriate access control models will require the system administrator or business owner to consider the unique needs of the access control system installation, including the type and size of the building, the number of individuals requiring regular access, the intended variability of granted permissions and the overall level of on-site security deemed necessary for the organization.
Rule-based access control is used to manage access to locations, databases and devices according to a set of predetermined rules and permissions that do not account for the individual’s role within the organization. In other words, if the user does not meet a set of predefined access criteria, they will be locked out of the access control network regardless of their level of security clearance.
Role-based access control is an operational configuration for physical and cyber entry point management designed to grant access permissions based only on the role of the user within an organization. Simply put, levels of access are determined by the user’s job title rather than other predefined rules such as time, frequency of use or other similarly measurable variables.
Mandatory access control is the strictest configuration organizations can deploy in which all access decisions are made by one individual with the authority to confirm or deny permissions. This model is commonly used by organizations with high-level security needs, like government agencies and financial institutions, as access to confidential areas and data must be highly controlled and traceable.
In contrast to MAC, discretionary access control models describe a system in which any user granted access permissions by an administrator can edit and share those permissions with other members of an organization. This means that once the end user has access to a location or a digital system, they’re able to grant the same privileges to any other person at their own personal discretion.
Attribute-based access control (also referred to as a policy-based access control method) is a methodology in which permissions are granted based on the evaluated attributes or characteristics of the employee rather than only their specific role. Attributes can include desired actions, job roles and the classification of the object or location in question. If an employee fails to meet all these criteria access will be denied.
If an organization adopts this model of access control, appointed security administrators will be tasked with setting high-level rules used to determine exactly how, where and when employees of all levels are able to access certain locations, databases and other specific company resources.
With a rule-based system in place, employees will present personally issued access credentials to be checked against a predetermined list of requirements. If all needs are met, access will be granted.
Under this methodology, company roles may be overridden by certain rules implemented by the administrator. For example, IT staff may have access to server rooms based on their company role, though a rule denying access after a certain hour would take precedence to deny these credentials.
In operation, an example of rule-based access would be that an administrator has programmed access hours for a building in line with a regular working day, meaning regardless of an individual’s role within the company, no active credentials will be accepted by the access control network outside the hours of 9am-5pm.
Rule-based models for access control can also be utilized in conjunction with additional systems, allowing administrators to set prioritized levels of security in response to specific risks and potential threats. A role-based system may be in place to provide basic access instruction, with rules outlining additional criteria such as:
Rule-based access control offers a flexible approach to building security, with admins able to completely restrict access to certain areas in reaction to evolving requirements, though as these rules are likely to change fairly regularly, RuBAC systems can be time-consuming to manage and adjust.
Management of RuBAC systems can be made a little easier by clearly outlining the type of rulesets the network is configured to follow. Static rules can be implemented which will not change without admin permission; dynamic rules can be set to change under certain circumstances; and implicit deny rules can be utilized to block access to any user lacking specifically defined access credentials.
Further benefits to the use of RuBAC models include:
As rule-based permissions will commonly be implemented alongside additional access control models and be expected to override certain aspects of the wider security network, a number of best practices must be followed when designing and implementing an effective rule-based access control network.
Role-based access control operates using the least privilege principle, in which a user is only granted access to the specific areas and resources necessary for them to perform their role within an organization. Access in these situations will commonly be based on factors like seniority and job title.
Managing these permissions can be a little difficult if an employee has multiple roles within the organization, though multiple sets of credentials can be issued to the same physical access device.
By implementing a RBAC model, security teams can ensure that all team members are restricted to predefined areas with little need for administrative monitoring. For example, management teams will be granted access to most entry points and databases, specialist workers will have access to relevant resources and low-level employees will be restricted to communal areas and low-risk environments.
This means a member of the IT department can use their credentials to access communal areas and role-specific locations such as server rooms, while office staff may only be able to access the main entrance of the building, meeting rooms and the office space itself. This system allows admins to manage the credentials of large workforces without individually assessing each staff member.
As with any security system, there are key role-based access control benefits and drawbacks to the use of these models.
RBAC systems can provide:
Some potential drawbacks to the use of RBAC systems include:
Before implementing a role-based access control model, organizations should consider:
Rule-based and role-based access control models are similar in operation, both are mandatory (not discretionary) systems in which employees are unable to edit permissions or control access, though there are a few differences that may indicate a preferential model for certain situations. When figuring out which access control methods are right for your organization, consider the following factors.
Rule-based models are a preventative security measure, meaning these systems are unable to determine clearance levels. Rather, their purpose is to prevent unauthorized access. Conversely, role-based models are proactive in that these systems provide staff with the means to prove their own authorization.
Rule-based models ignore job titles in favor of strict rules that must be addressed to gain access. Role-based models instead grant permissions based entirely on the user’s role within the company. In larger organizations where roles are clearly defined, RBAC methods might be easier to manage, while smaller organizations where employees need different levels of access depending on a variety of factors may be better suited for RuBAC models.
Rule-based models are ideal for large workforces as access parameters are far reaching and generic, while role-based models can cater to individuals based on their role on a case-by-case basis.
Let’s look at role-based access control vs. attribute-based access control. The main difference when it comes to a role-based access control vs. attribute-based access control model is the way that admins configure access parameters. In a role-based system, access is confirmed or denied based only on job title; ABAC systems instead rely on approved attributes or characteristics.
If you are therefore weighing rule-based access control vs. attribute-based access control, consider whether your business could allow access based on just job title, or whether you need additional criteria and characteristics. Characteristics may include job titles, though can extend to criteria such as project memberships and clearance levels, creating a more precise — though harder to implement — security system.
When comparing rule-based access control vs. attribute-based access controls, again the primary difference is the way parameters are configured. In a RuBAC model, access is evaluated in response to a set of predetermined rules, while ABAC systems measure approved attributes to grant access.
The difference here is the type of information used. Rules are often related to external factors like working hours, schedules and specific devices, while attributes will be reliant on personal information such as active projects, work status and security clearance level.
Both configurations consider multiple variables when determining access parameters, and both can be implemented alongside additional models such as role-based systems; only the variables used differ.
In terms of discretionary access control vs. mandatory access control, these two models differ greatly. MAC models rely heavily on admins configuring access parameters based on predetermined rules and organizational roles, providing more security though often proving time-consuming to implement.
DAC models instead provide users with some individual control over their data, with staff able to grant permissions at their own discretion. This makes DAC systems incredibly flexible and scalable. However, as credentials can be shared freely amongst staff, DAC models are known to present some exploitable security risks.
So, which is the most logical access control method for your property? When it comes to access control models, property owners should consider the pros and cons of rule- and role-based systems, as implementing the most appropriate methodology will aid security teams in managing access to physical locations and digital information in an efficient and reliable manner.
Leveraging multiple access control models can help to customize physical security technology in line with the unique needs of an installation, though businesses will need to consider aspects such as staff numbers, building size and the level of security required before selecting the most appropriate configuration, as well as the effort and resources to effectively develop and manage the access control models as business needs change.
Our video security experts can help you implement the right security system for your business.