The Access Control Policies (MAC, DAC, RBAC, ABAC) are the models of access control.
Stack Exchange network includes Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Information security professionals can ask questions on the Information Security Stack Exchange.It only takes a short time to sign up.
Someone can suggest a situation in which it would be better to use MAC instead of RBAC.Which one is better, the others or the DAC?Which RBAC is the best?
I know that RBAC is better in a situation in which we want to assign the rights to the specific job.If we want to avoid that an user can manage the rights, we should use RBAC and MAC.
It is possible to let people manage the content they own.It might sound obvious, but it is possible to let users of an online social network choose who can access their data.It makes it easy for people to revocation or forward privileges.Nice examples of research on DAC with users can be found in Reactive access control, Seeing further and Laissez-faire file sharing.
RBAC is a form of access control that can be used to separate responsibilities in a system where multiple roles are fulfilled.This is also true in corporations.The principle of least privilege can be implemented on a single user operating system.Users can choose the roles they need for a specific task with RBAC.Roles can be used to represent tasks performed on your system and assign roles in a central authority, in which case RBAC is a form of MAC.
There are many ways to implement MAC.You will often use a combination of different paradigms.The root account is able to circumvent the privileges of the DAC.In a corporation, you may allow some coworkers to share information with your corporate file system.
Make your question specific and tell what system you want to protect.Depending on the situation and context, what access control you use is always up to you.
There is a different security requirement for each system.confidentiality, integrity, and availability are the main security requirements.
The others do not support a security requirement of confidentiality.The security requirement of availability is supported by the others.The security requirement of integrity is supported by RBAC.There is more...
MAC makes decisions based on permission and labeling.Permissions are the only things that the DAC makes decisions on.RBAC makes decisions based on their roles.
If the system is programmed correctly, it will enforce the security requirements.You can use the wrong system to do what you want.This happens a lot.
They are not exclusive.The best example of Active directory roles and permissions is the combination implementation of DAC/RBAC.
A classic example of where you cannot use one of the other systems and must use RBAC is for customer service and billing.When you call the cable company to get your pay-per-view, the Customer service representative will say I'm sorry, but I can't take your credit card information, because they know you have an overdue bill.Can I have my service after you pay your bill?I see you want this service, but that's not my function.Both roles can see all the data, but only manipulate the fields that they have a particular set of responsibilities for.It fits the "more so" rule.
It tends to be a military systems or high security requirement implementations.There are others but you don't care if they use TRusted-Solaris or LINUX-MAC.A construct of dominance is one of the key elements.No amount of permission will get you to see a Top secret document if you have secret level clearance.It's rare that you need this construct in commercial entities.If an activity is not specifically allowed, then you can't do it.This breaks a lot of commercial uses because of rapid change to the mission or system requirements.Specific permission is required for any processes spawned from that.