πŸ” CISSP Domain 5 Β· Identity & Access Management

MAC vs DAC vs RBAC vs ABAC
Access Control Models β€” 2026 CISSP Guide

The definitive interactive guide for CISSP students. Understand how each model works, spot the differences, and pass the exam with confidence.

πŸ”΄ Mandatory
🟒 Discretionary
πŸ”΅ Role-Based
🟣 Attribute-Based
OVERVIEW

What Are Access Control Models?

Access control models define who decides who gets access to resources. The CISSP exam tests your ability to identify which model is in use given a scenario β€” these four models are the most commonly tested.

πŸ”΄

MAC

Mandatory Access Control

Access is enforced by the system/policy. Neither users nor data owners can override it. Based on security labels and clearances.

πŸ”‘ Key word: "labels" or "clearances"
🟒

DAC

Discretionary Access Control

The data owner decides who gets access. Access is granted at the owner's discretion via ACLs or permissions.

πŸ”‘ Key word: "owner controls"
πŸ”΅

RBAC

Role-Based Access Control

Access is based on the user's role or job function. Permissions are assigned to roles, not individuals.

πŸ”‘ Key word: "role" or "job title"
🟣

ABAC

Attribute-Based Access Control

Access is determined by evaluating multiple attributes β€” user, resource, and environment β€” against a policy.

πŸ”‘ Key word: "attributes" or "conditions"
πŸ’‘
CISSP Exam Tip: On the exam, look for the decision-maker. If it's the system β†’ MAC. If it's the data owner β†’ DAC. If it's a role/group assignment β†’ RBAC. If it's multiple conditions evaluated together β†’ ABAC.

Quick Reference Snapshot

Model Who Decides Access? Flexibility Best For
MACThe system/OS❌ Very rigidMilitary, government
DACThe data ownerβœ… Very flexibleConsumer OS, file sharing
RBACAdmin assigns rolesβœ… Moderately flexibleEnterprise, healthcare
ABACPolicy engineβœ…βœ… Most flexibleCloud, Zero Trust
HOW IT WORKS

Access Flow Diagrams

Select a model to see exactly how an access decision is made β€” step by step.

πŸ”΄ Mandatory Access Control (MAC)

The system enforces access based on security labels. No user or owner can override this policy.

πŸ‘€
Subject
User with clearance level
e.g. SECRET
β†’
🏷️
System Check
Compares labels & clearances
β†’
πŸ“
Object
Resource with classification
e.g. TOP SECRET
βš–οΈ
System Decision: Is subject clearance β‰₯ object classification?
This check is performed by the OS/kernel β€” not the user or owner
βœ… ALLOW
SECRET user β†’ SECRET file
❌ DENY
SECRET user β†’ TOP SECRET file

Key MAC Characteristics

  • πŸ›οΈ
    Who controls: The operating system/kernel β€” users and owners have zero override ability
  • 🏷️
    Based on: Security labels (classification) on objects + clearance levels on subjects
  • πŸ’»
    Real-world systems: SELinux, AppArmor, military JWICS, NSA networks
  • ⚠️
    Main weakness: Inflexible β€” cannot adapt to dynamic or temporary access needs
  • 🎯
    CISSP signal words: "labels," "clearances," "system enforced," "cannot override," "government/military"

🟒 Discretionary Access Control (DAC)

The resource owner decides who gets access and sets permissions via an Access Control List (ACL).

πŸ‘€
Subject
User requesting access
β†’
πŸ“‹
ACL Check
Owner-set permissions list
β†’
πŸ“
Object
File/resource owned by user
πŸ‘‘
Owner Decision: Is this subject on my ACL with the required permission?
The owner set this list β€” and can change it at any time
βœ… ALLOW
Subject is on the ACL
❌ DENY
Subject not on ACL

Key DAC Characteristics

  • πŸ‘‘
    Who controls: The data owner β€” they set and manage the ACL themselves
  • πŸ“‹
    Based on: Access Control Lists (ACLs) or capability tables set by the owner
  • πŸ’»
    Real-world systems: Windows NTFS permissions, Google Drive sharing, Unix file permissions
  • ⚠️
    Main weakness: Vulnerable to Trojan horse attacks; inconsistent policies across owners
  • 🎯
    CISSP signal words: "owner grants access," "user controls," "ACL," "discretion," "share with"

πŸ”΅ Role-Based Access Control (RBAC)

Access is determined by a user's role or job function. Permissions are assigned to roles, and users are assigned to roles.

πŸ‘€
Subject
User with assigned role
e.g. "Nurse"
β†’
🏷️
Role Lookup
What can "Nurse" do?
β†’
πŸ“‹
Permissions
Role's allowed actions on objects
β†’
πŸ“
Object
Patient records, etc.
🎭
Role Check: Does the user's role have permission to perform this action on this resource?
Admin assigns roles; roles define permissions β€” not individuals
βœ… ALLOW
Role has the required permission
❌ DENY
Role lacks the permission

Key RBAC Characteristics

  • 🎭
    Who controls: System administrator assigns roles; roles have pre-defined permissions
  • πŸ“‹
    Based on: User's job function or role (Doctor, Nurse, Manager, Auditor)
  • πŸ’»
    Real-world systems: Active Directory groups, hospital EMR systems, most enterprise SaaS apps
  • ⚠️
    Main weakness: "Role explosion" β€” too many granular roles become hard to manage; less context-aware than ABAC
  • 🎯
    CISSP signal words: "role," "job title," "group membership," "department," "all nurses can…"

🟣 Attribute-Based Access Control (ABAC)

Access is granted when multiple attributes (user, resource, environment) all satisfy a policy. The most context-aware model.

πŸ‘€
User Attributes
dept=Finance
clearance=L2
πŸ“
Resource Attributes
sensitivity=HIGH
owner=CFO
🌍
Environment
time=9-5pm
location=HQ
β†’
βš™οΈ
Policy Engine
Evaluates ALL attributes against policy rules
β†’
βœ… ALLOW
All conditions met
❌ DENY
Any condition fails

Key ABAC Characteristics

  • βš™οΈ
    Who controls: Policy engine evaluating rules defined by security admins β€” highly dynamic
  • πŸ“‹
    Based on: Combination of user attributes + resource attributes + environmental context
  • πŸ’»
    Real-world systems: AWS IAM policies, Microsoft Entra / Azure ABAC (attribute conditions), XACML-based systems, Zero Trust architectures
  • ⚠️
    Main weakness: Most complex to design, implement and audit β€” policy sprawl can occur
  • 🎯
    CISSP signal words: "attributes," "AND conditions," "time of day," "location," "dynamic policy," "Zero Trust"
COMPARISON TABLE

Side-by-Side Comparison

Filter by category to focus on what matters most for your study session.

Filter:
Criteria πŸ”΄ MAC 🟒 DAC πŸ”΅ RBAC 🟣 ABAC
Who decides access? System / OS Data Owner Administrator (via roles) Policy Engine
Can owner override? ❌ Never βœ… Yes β€” owner controls all ⚠️ No β€” admin assigns roles ⚠️ No β€” policy rules apply
Access basis Security labels & clearances Identity & ACL entries Role / job function Multiple attributes + conditions
Flexibility ❌ Very rigid βœ… Very flexible βœ… Moderately flexible βœ…βœ… Most flexible
Security level πŸ† Highest ⚠️ Lowest (user error risk) βœ… Good βœ…βœ… Very high (context-aware)
Trojan horse risk βœ… Very low (system enforced) ❌ High vulnerability βœ… Low βœ… Low
Insider threat protection βœ…βœ… Excellent ⚠️ Poor βœ… Good βœ…βœ… Excellent
Auditability βœ… Easy (system controls all) ⚠️ Difficult (owners vary) βœ… Easy (by role) ⚠️ Complex (many policies)
Best environment Military, government Personal OS, small teams Enterprise, healthcare Cloud, Zero Trust, SaaS
Real-world examples SELinux, JWICS, NSA systems Windows NTFS, Google Drive Active Directory, hospital EMR AWS IAM, Microsoft Entra / Azure ABAC, XACML
Scalability ⚠️ Difficult to scale ❌ Poor at large scale βœ… Scales well βœ…βœ… Scales best
Admin complexity ⚠️ High setup, then automatic βœ… Low (owners manage) βœ… Moderate ❌ High (policy management)
REAL-WORLD EXAMPLES

See Each Model in Action

Click any example to expand the full scenario, why it matches the model, and the CISSP exam takeaway.

MACπŸ›οΈ Military Intelligence Network
β–Ό
Environment
Government / Military
Access Basis
Security Clearance
Who Decides
System (Kernel)

A military intelligence analyst holds a SECRET clearance. The system automatically allows them to access documents labeled SECRET or below, but completely blocks access to TOP SECRET documents β€” even if their commanding officer personally requests it. The commanding officer cannot override this; only a formal clearance upgrade processed through the security administration can change access.

🎯
CISSP Takeaway: The key MAC signal is "the system enforces it and no user β€” not even the owner β€” can override." If you see "clearance level" + "system-enforced" in a question, it's MAC.
MACπŸ’» SELinux on a Web Server
β–Ό
Environment
Linux OS
Access Basis
Security Labels
Who Decides
SELinux Kernel

A web server process running as the Apache user tries to access /etc/shadow (the password file). Even though the Apache process is running with elevated privileges, SELinux's mandatory policies block this access entirely. The system administrator configured these labels, and even root cannot bypass them without disabling SELinux itself.

🎯
CISSP Takeaway: SELinux and AppArmor are the go-to MAC examples for Linux systems. Remember: MAC = kernel enforced, labels-based, zero owner override.
DACπŸ“ Windows File Sharing at an Office
β–Ό
Environment
Enterprise / Windows
Access Basis
ACL set by owner
Who Decides
Data Owner

Sarah creates a budget spreadsheet and saves it to a shared network drive. She opens the Properties β†’ Security tab and adds her colleague Tom with Read access and her manager with Read/Write access. She can change these permissions any time, or revoke them. The IT department didn't configure this β€” Sarah did it herself as the file owner.

🎯
CISSP Takeaway: Whenever a user (owner) controls who can access their resource β€” that's DAC. The weakness: if Sarah's machine is compromised by a Trojan, that Trojan inherits her DAC permissions and can share her files.
RBACπŸ₯ Hospital Patient Records System
β–Ό
Environment
Healthcare / Enterprise
Access Basis
Job Role
Who Decides
IT Admin via roles

City General Hospital's EMR system has three roles: Doctor (can view and update treatment records, write prescriptions), Nurse (can view records, update vitals, cannot prescribe), Receptionist (can view scheduling only, no clinical data). When Dr. Chen joins the hospital, IT assigns her the Doctor role. She instantly has the right access without configuring individual permissions. When a nurse is promoted to Head Nurse, the admin simply changes the role.

🎯
CISSP Takeaway: RBAC shines in organizations with clear job functions. "All doctors can…" or "all managers can…" language in a question is a strong RBAC signal. Role changes are simple β€” change the role, not hundreds of individual permissions.
ABAC☁️ AWS IAM Policy for Finance Team
β–Ό
Environment
Cloud / AWS
Access Basis
Multiple Attributes
Who Decides
Policy Engine

An AWS IAM policy grants access to financial S3 buckets only when: (1) the user has department=finance tag, AND (2) the request comes from the corporate IP range, AND (3) the request is made between 8AM–6PM Monday–Friday, AND (4) MFA is enabled on the session. All four conditions must be true simultaneously. A finance employee working from home on a Saturday at 10PM would be denied β€” even though they're in the Finance department.

🎯
CISSP Takeaway: ABAC is the model behind Zero Trust ("never trust, always verify"). When you see multiple AND conditions involving user attributes + environment + resource properties, it's ABAC. It's the future of access control in cloud environments.
ABACπŸ”’ Zero Trust Network Access
β–Ό
Environment
Enterprise Zero Trust
Access Basis
Continuous Attributes
Who Decides
Policy Decision Point

A company implements Zero Trust using a Policy Decision Point (PDP). Every access request is evaluated in real-time against: user identity + device health score + geolocation + time of day + resource sensitivity + current threat intelligence feed. An employee who passes at 9AM might be denied at 3PM if their device's health score drops (e.g., antivirus goes out of date). Access is never assumed β€” it's always evaluated.

🎯
CISSP Takeaway: Zero Trust = ABAC. The "continuous evaluation" and "never trust, always verify" principles are only possible because ABAC evaluates multiple real-time attributes on every request.
PRACTICE QUIZ

10 CISSP Scenario Questions

Each question is phrased exactly like the CISSP exam. Read the scenario and identify the access control model in use.

Question 1 of 10
QUESTION 1
Score: 0/0
DECISION TOOL

Which Access Control Model Fits?

Answer 3 questions about your scenario and we'll identify the right model β€” with a full explanation.

Is access enforced by the operating system or kernel β€” with no ability for users or owners to override it?
Think: Can any user, admin, or data owner change who accesses the resource?
βœ…
Yes
The system enforces it β€” no user override is possible
❌
No
Users, owners, or admins can configure or change access
Can the individual who owns the resource directly control who accesses it?
Think: Does the file creator / data owner set the permissions themselves?
πŸ‘‘
Yes β€” the owner decides
e.g. "Alice shared the file with Bob" or "owner sets the ACL"
🏒
No β€” a central admin or policy decides
e.g. IT configures it, or a policy engine evaluates conditions
Is access based on a single job role or group, or on multiple combined conditions?
Think: Does "all nurses can access X" describe it? Or does it require checking multiple attributes simultaneously?
🎭
Single role or group
e.g. "all managers," "the Finance group," "anyone with the Doctor role"
βš™οΈ
Multiple conditions / attributes
e.g. department=Finance AND time=business hours AND location=HQ
MEMORY HOOKS

Mnemonics & Memory Tricks

Click each card to reveal the mnemonic. These are designed for the CISSP exam β€” easy to recall under pressure.

πŸ”΄
MAC
Click to reveal mnemonic
MAC = Military Always Controls
Mandatory = Military. Access is Always Controlled by the system. No user override β€” ever.
🟒
DAC
Click to reveal mnemonic
DAC = Data owner Allows Choice
Discretionary = the owner has Discretion (choice). Think Google Drive β€” YOU choose who sees YOUR file.
πŸ”΅
RBAC
Click to reveal mnemonic
RBAC = Role Brings Access to Crew
Your Role determines access. "All Nurses can…" "All Managers can…" β€” if the sentence uses a job title, think RBAC.
🟣
ABAC
Click to reveal mnemonic
ABAC = All Boxes And Conditions
ALL attribute conditions must match. If the scenario lists multiple AND conditions β€” department AND time AND location β€” it's ABAC.

🎯 The Ultimate Exam Cheat Sheet

If the question says…Think…Model
"clearance level" / "security label" / "cannot override" / "system enforced"πŸ”΄ Military / Government / No overrideMAC
"owner controls" / "user grants access" / "ACL set by" / "shared with"🟒 Data owner / Google Drive / Windows sharingDAC
"role" / "job function" / "all [job title] can" / "group membership"πŸ”΅ Hospital roles / Active Directory / GroupsRBAC
"attributes" / "AND conditions" / "time of day" / "location" / "Zero Trust"🟣 AWS IAM / Cloud / Multiple conditionsABAC
πŸ†
Top exam trap: RBAC and ABAC are often confused. Remember β€” RBAC uses a single role; ABAC uses multiple conditions simultaneously. If a scenario mentions a role plus time/location/device conditions, it's ABAC (not RBAC).
⚠️
Watch out β€” the "department" trap: "Department" can appear in both RBAC and ABAC scenarios. If everyone in Finance gets access β€” that's RBAC (single group/role). But if access requires department=Finance AND location=HQ AND time=business hours β€” that's ABAC (multiple AND conditions). Always count the conditions. One condition = RBAC. Multiple AND conditions = ABAC.
πŸŽ“ CISSP Exam Prep Platform

Ready to Pass the CISSP?
Get Everything You Need in One Place.

This infographic is just the start. FlashGenius gives you a complete CISSP prep toolkit β€” built for how security professionals actually learn.

🎯 Practice Tests
πŸƒ Flashcard Decks
πŸ“„ Cheat Sheets
πŸ“Š Domain Quizzes
🧠 Memory Hooks
πŸ“š Study Guides
πŸš€ Start Free on FlashGenius View All CISSP Resources β†’
Free to register Β· No credit card required Β· Trusted by CISSP candidates