MAC has multiple meanings. It stands for Mandatory Access Control, in which systems and data are accessed based on strict policy rules. Data is classified, such as confidential or secret, and only users with the same or higher classification can access it. MAC can also stand for Media Access Control, a method for addressing devices on a network and for sending data between them.

What is the difference between RBAC and ABAC?

Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are both methods to manage access rights for users and systems in a structured way. ABAC is more powerful and flexible than RBAC. With RBAC, access rights are assigned based on roles; for example, someone with the role 'controller' has access to the financial applications. With ABAC, different attributes can be used when determining access rights. That includes someone's role, as well as the department, location, completed courses, and so on.

Access Control

Q: Access control refers to methods and technologies used to secure and manage digital access to applications, data, and other IT resources.

A physical security key is a small device that can serve as a second factor for authentication. In addition to a primary security method, such as a password, the user confirms their identity with that key. It is often a small USB key, and some variants also include an NFC chip for use with smartphones. Such a physical key makes access control more secure and simpler. A well-known example is the YubiKey.

What is Access Control?

Access control refers to methods and technologies used to secure and manage digital access to applications, data, and other IT resources.

Access control is essential to securing IT environments. IT systems are usually available online, accessible from a wide range of devices, and communicate directly with each other. Therefore, at every access attempt, you want to know who is trying to gain access and what rights that user has. A zero-trust approach is used for every session and starts with a check. The first step is verifying the user or the system, also known as authentication. Once that succeeds, authorization follows, in which the access rights someone has are checked.

It's important to note that access control isn't just needed for digital systems. Physical access control is also crucial because it helps prevent unauthorized entry and exit from a building. However, physical access security can also be complex. For example, you want to grant an intern access only to common areas, while an IT staff member needs access to the server room. There are significant similarities between physical and digital access control, and ideally, these access systems are kept increasingly in sync. An employee in the finance department must get access to the financial systems, and that same employee must also automatically receive a badge with access to the finance department.

Access Control Security

How does access security work for users? The most common method is signing in with a username and password. However, that method has drawbacks. Passwords are vulnerable for many reasons, and it is inconvenient to keep typing those credentials. Here's how we can address those drawbacks:

SSO: Single Sign-On is a technical solution that allows a user to access multiple applications and data with a single set of login credentials. This makes signing in with a username and password much easier. You do not need to sign in repeatedly.
1. MFA: With Multifactor Authentication, in addition to signing in with a password, an extra verification check is performed. For example, you must enter an additional code that you receive on your smartphone. You authenticate not only with something you know, your password, but also with something you possess, your smartphone. That makes it much more secure.

In the examples above, we still used passwords, and even with MFA via your smartphone, you often still need to type a code. As an alternative, more organizations and services support physical security devices such as the YubiKey. With the USB device (NFC access is also possible), you can sign in directly without a username and password. Some devices also include a fingerprint reader, making them even more secure.

Different Types of Access Control Methods

There are many different access control methods. Here are two examples:

Mandatory Access Control (MAC) is determined by strict criteria: who gets access to which applications and data. Classifications are often used for this, such as confidential, secret, and top secret. Only users with the appropriate 'clearance' receive access. This is used, for example, in military environments.
The opposite is Discretionary Access Control (DAC). In that model, the document owner determines access and editing rights. You will find this, for example, in SharePoint, where, as a user, you can indicate who gets access to a specific file. As the owner, you can also set whether others can view or edit the document.

Such methods work well, but MAC can be too strict, and DAC can be too permissive when managing all access rights within organizations. With an Access Control List (ACL), you can manage access rights individually for each user or access control entry, but this quickly becomes unmanageable. That is why we often use Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) in Identity and Access Management systems. They offer extensive options for managing access rights per employee without it becoming unmanageable. We will discuss this later in the article.

Note: MAC is also the abbreviation for Media Access Control. The so-called MAC address is a unique identifier that allows every device on a network, such as a computer or printer, to be individually reachable. It is possible to block or allow applications or data per MAC address. This is called MAC filtering.

Examples of Specific Access Control Models:

RBAC and ABAC are widely used in organizations, but there are many other access control methods as well, each with its own characteristics, such as:

Policy-Based Access Control (PBAC) is a set of policy rules that determines who gains access to applications and data, and under what conditions.
History-Based Access Control (HBAC) is a method in which previous actions partly determine access. For example, a user may perform certain financial transactions because they have already performed similar transactions.
Relationship-Based Access Control (ReBAC) considers the relationships between users. This is used in social media applications where you can view data for friends or friends of friends.
Risk-Adaptive Access Control (RAdAC) considers current threat levels when granting access. At an elevated risk level, additional restrictions may apply, or MFA is enforced more often.
Temporal Access Control (TAC) considers the time at which someone attempts to gain access. During business hours, people receive standard access; outside business hours, they do not, or only after an additional MFA verification.
Context-Based Access Control (CBAC) is an approach that uses various context factors to enhance access security. Examples include the location where someone is working, the type of network (Wi-Fi or mobile data), or the device used.
With Graph-Based Access Control (GBAC), access rights are determined not only by a person's role, but also by information about the shared projects they work on and the hierarchical relationships between employees.
Along the same lines, there is Organization-Based Access Control (OrBAC), in which access rights in complex organizations are derived from an individual's organizational role, such as director, department manager, team manager, and so on.
With Capability-Based Access Control (CapBAC), users and systems are assigned 'capabilities' to perform actions. For example, in smart buildings and the Internet of Things (IoT), networks exist in which devices exchange data and can issue commands to each other.

You will notice considerable overlap between different access control names and descriptions. For example, TAC, which considers time of day, can also be seen as part of CBAC, where many other context factors can be used. These different access methods and definitions are usually not set in stone, and in practice, combinations or hybrids are often used.

Examples of Access Control Tools

In the previous paragraphs, we discussed various access control methods for managing access to systems and data. These range from access rights based on a person's role in the company to access rights in social media apps based on relationships between users. Under the hood, these mechanisms often use different technical access control tools.

One example is security labels. These are data tags that contain information about the required classification level (confidential, secret, etc.) and are added to data and applications. This enables the technical implementation of Mandatory Access Control (MAC). In IoT environments, capability tokens are often used to manage device permissions remotely. To implement Policy-Based Access Control, people often use Policy Decision Points, PDPs, and Policy Enforcement Points, PEPs. To manage mutual access between web services, the so-called Access-Control-Allow-Origin header within the HTTP protocol is often used.

In the context of access security, encryption technology is also often discussed, but strictly speaking, these are two different topics. However, for storing passwords, for example, when you use a password manager, and for transmitting login data over networks, encryption is a critical component. Security guidelines, in any case, often require that both Access Control and Encryption be applied.

The Role of IAM in Your Access Control

How does IAM support access control in your organization? Today, many organizations use the Identity Provider solution that is an integral part of, for example, Microsoft 365, AD, or Entra ID. An Identity Provider provides primary authentication for users and then uses SSO to grant access to the relevant applications and data.

That still does not cover everything. In an organization with hundreds or even thousands of users, it is a challenge to issue and manage all those accounts and access rights accurately and automatically. Every employee has different responsibilities and therefore needs different applications and data. Employees also change roles regularly. To manage that without problems, you need a modern Identity and Access Management solution such as HelloID. The success of an IAM solution depends on the access control methods that the platform supports.

A very simple IAM solution can include an access control or authorization matrix that records rights per individual user. For larger and more complex organizations, this does not work, and you should use an IAM solution that supports RBAC or ABAC:

Role-Based Access Control (RBAC) organizes your access rights based on the roles or functions an employee fulfills within the organization. A salesperson, therefore, has different access rights than a finance employee. If someone's role changes, the rights are updated immediately as well.
Attribute-Based Access Control (ABAC) is similar to RBAC, but is more granular because it uses attributes of users, applications, and data. With ABAC, access rights are not determined only by someone's role, but also by specific competencies you have, the department where you work, or your work location.

HelloID also follows ABAC principles and uses business rules, allowing rights to be configured even more flexibly. You can make rights issuance time-dependent; you can automatically create an account and grant access rights to a new employee in the system, and set them to activate exactly on the day of onboarding. Or you can have someone receive a basic set of rights by default, and only after accepting the user terms do they receive full access. Out of the access control methods described above, HelloID uses a relevant combination of capabilities required by modern, professional, and agile organizations.