RBAC In The Real World

There are three different types of access control models: mandatory access control, discretionary access control and non-discretionary access control. Discretionary access control is based on a user's access needs. A system administrator provides access to an object based on a user's need and the user then has the discretion as to whether to pass on this access to other user's or not. Mandatory access control is more restrictive and is normally used in military systems. With mandatory access, all objects and users in the system are assigned a label. A user can only access an object based on the permissions of the label assigned to him/her. Non-discretionary access control is based on roles. Privileges are granted based on a user's role in the organization. A mixture of these different types of access control models are usually required to meet all the security needs in a system. After some research on these mechanisms, Role-Based Access Control (RBAC), a type of non-discretionary access control, was chosen as the best solution to mitigate the risk from vulnerabilities on a system I worked on.