Access Control Models: RBAC vs DAC vs MAC, Least Privilege | AP Cybersecurity
Access Control Models Explained: RBAC, DAC, MAC & Least Privilege
Access control decides who can reach which data and what they can do with it. Topic 5.2 covers the principle of least privilege, the five access control models (RBAC, RuBAC, DAC, MAC, and Bell-LaPadula), and how to set Linux file permissions with chmod.
Contents
Authorization and least privilege
Authorization is granting an entity permission for a specific type of access to a resource. It comes after authentication: authentication proves who you are, authorization decides what you may touch.
The principle of least privilege says entities should get exactly as much access as they need to do their job and no more. If a compromised account has only narrow access, the attacker is contained to that narrow scope, which is why over-permissioned accounts make breaches far worse.
An intern is given full administrator rights 'to be safe.' Why does this violate least privilege?
Reveal answer
Least privilege grants only the access a role needs. Admin rights far exceed an intern's needs, so if that account is phished, the attacker inherits broad control instead of a small slice.
Authentication proves identity; authorization decides access. Least privilege means the narrowest permissions that still let the user do their job.
The five access control models
An access control model defines how the system decides which subjects (users or apps) get which type of access to which objects (files or apps). The CED names five, and the exam tests choosing the right one for a scenario.
| Model | How access is decided | Example |
|---|---|---|
| RBAC (role-based) | By the subject's assigned role | Anyone in the "accountant" role can use payroll software |
| RuBAC (rule-based) | By rules and conditions, layered on top of another model | Deny database access outside business hours |
| DAC (discretionary) | The owner of an object sets others' access | Bob lets Alice edit his file and Frank only view it |
| MAC (mandatory) | Fixed levels assigned by an administrator | Government or military clearance levels |
| Bell-LaPadula | A MAC model summarized as "write up, read down" | You cannot read above your level or write below it |
A company wants access to a system allowed only during business hours and only from devices on the corporate network. Which model fits?
Reveal answer
Rule-based access control (RuBAC). It applies conditional rules (time and network) on top of whatever base model already grants access, denying access when the conditions are not met.
Match the trigger: role decides = RBAC, conditions/rules decide = RuBAC, owner decides = DAC, fixed admin levels = MAC, 'write up, read down' = Bell-LaPadula.
Linux permissions with chmod
On a Linux system, every file has three permission sets in a fixed order: the owner, the group, and all other users. Each set can grant read (r), write (w), and execute (x). In numeric mode, read is 4, write is 2, and execute is 1, and you add them up per entity.
7 = owner = 4+2+1 = rwx (read, write, execute)
5 = group = 4+0+1 = r-x (read, execute, no write)
0 = others = 0 = --- (no access at all)
You want the owner to read and write, the group to read only, and everyone else to have no access. What chmod number is that?
Reveal answer
chmod 640. Owner 6 = read(4)+write(2) = rw-, group 4 = read = r--, others 0 = ---. That produces -rw-r----- .
Read down the three digits as owner, group, others. Add 4+2+1 per digit: 7=rwx, 6=rw-, 5=r-x, 4=r--, 0=no access.
Over-permissioned accounts amplify breaches
Breach investigations repeatedly find that over-privileged accounts let attackers move freely after a single compromise. Least privilege would have limited them to a small scope.
Grant only the access the role needs.
Key Terms
| Authorization | Granting permission for a type of access to a resource. |
| Least privilege | Giving only the access needed, and no more. |
| Data classification | Ranking data by sensitivity to set controls. |
| Access control | Settings that map users to allowed resources. |
Match It Up
Common Mistakes
Granting broad access 'to be safe'
That violates least privilege and widens the blast radius of a compromise.
Confusing authentication with authorization
Authentication proves identity; authorization decides what that identity may access.
Ignoring data classification
Sensitive data warrants tighter access than low-risk data.
Forgetting to remove old access
Access should shrink as roles change, not just grow.
Check for Understanding
Frequently Asked Questions
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]