As a cybersecurity professional, you’ve probably heard terms like Role-based access control (RBAC), Mandatory access control (MAC), Discretionary access control (DAC), non-discretionary access control (NDAC), and Attribute-Based Access Control (ABAC), thrown around in meetings or study guides. But what do these authorization models actually do, and how do they affect who can access what in your systems? Imagine you’re responsible for protecting sensitive company data. You’ll be deciding which employees, contractors, or systems can read, write, or modify information, which is more complicated than it seems.
For the Certified Information Systems Security Professional (CISSP) exam, it’s not enough to just recognize the names of these models; you need to understand how they work, when they apply, and what their strengths and weaknesses are in real-world scenarios.
This guide will walk you through each model so you can spot differences, apply them correctly, and tackle exam questions with confidence.
What Are Authorization Models?
Authorization models define how access is granted, restricted, and enforced within a security system. They determine who is allowed to access specific resources and what actions they can perform once access is granted.
In practice, authorization models underpin access-control decisions across operating systems, applications, databases, and networks. They translate security policies into enforceable rules that systems can consistently apply, even as users, roles, and resources change.
As a CISSP candidate, you need to know that authorization models are critical because these models directly impact security posture, compliance requirements, and risk management. Your CISSP exam questions often test whether you can recognize which model fits a situation, not just recall definitions, especially when balancing least privilege, accountability, and operational efficiency.
For example, imagine you manage a system where employees should only access data related to their job function. By applying the right authorization model, you reduce the risk of data exposure while ensuring users can still do their work without unnecessary barriers.
Key takeaway: Authorization models define who can access what and under what conditions, forming the foundation for secure, manageable access control decisions.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is an authorization model where access is granted based on a user’s job role within an organization. Instead of assigning permissions to individuals one by one, access is tied to predefined roles. This makes RBAC especially effective in structured environments with clear job functions.
In RBAC, permissions are first assigned to roles such as system administrator, HR staff, or finance analyst. Users are then assigned to these roles and automatically inherit the associated access rights. When a user’s role changes, their access updates automatically based on their role assignment.
Strengths and Limitations of RBAC
RBAC simplifies access management by reducing the need to manage permissions at the individual level. It helps enforce least privilege by ensuring users receive only the access relevant to their responsibilities. This model also supports scalability as organizations grow and add more users. However, RBAC can become inflexible if roles are not carefully designed or kept up to date. Over time, organizations may create too many roles to handle exceptions, which weakens clarity and control. Without regular reviews, RBAC can drift away from its original security intent.
Sample Scenario of RBAC
For example, RBAC can become inflexible if roles are not carefully designed or kept up to date. Over time, organizations may create too many roles to handle exceptions, which weakens clarity and control. Without regular reviews, RBAC can drift away from its original security intent.
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a system in which the system, not the user, decides who can access data. Permissions are based on fixed security labels and classifications assigned to both users and resources. As a user, you cannot change or override these access rules, even if you created the data yourself.
In MAC, every subject (user or process) and object (file, database, system) is assigned a security level, such as Confidential, Secret, or Top Secret. The system checks these labels before allowing access, using strict rules like “no read up, no write down.” This means access decisions are automatic and enforced consistently across the entire environment.
Strengths and Limitations of MAC
If you’re using MAC, you’ll have very strong protection for highly sensitive or regulated data. Because users have no control over permissions, the risk of accidental data leaks or privilege misuse is greatly reduced. This makes MAC ideal for environments where security is more important than convenience.
On the other hand, the biggest drawback of MAC is its lack of flexibility. Managing labels, classifications, and policy changes can be complex and time-consuming, especially if you’re employed in a large organization. It’s also not practical for most business environments where roles and access needs change frequently.
Sample Scenario of RBAC
Let’s say you work in a government agency handling classified intelligence data. Even if you are a senior employee, you cannot access documents marked above your clearance level. The system blocks access automatically, ensuring sensitive information is only seen by users with the correct authorization, no exceptions. Simply put, MAC is a rigid but highly secure model where the system enforces access rules based on classifications, not user discretion.
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) means the owner of a resource decides who can access it. If you create a file, folder, or system object, you control its permissions. This model is commonly found in everyday operating systems and business environments.
To explain in detail, users assign access rights such as read, write, or modify to other users or groups. The system enforces the rules, but the decisions come from the resource owner rather than a central authority. Because of this, permissions can change frequently based on user judgment.
Strengths and Limitations of DAC
DAC is easy to understand and simple to manage, especially in small or fast-moving teams. It allows flexibility when sharing information and collaborating across departments. This makes it practical for general business systems where strict classification is not required. However, this form of model creates security risks. Users may accidentally give access to the wrong person or overshare sensitive data without realizing the impact. Over time, inconsistent permissions can make it difficult to track who truly has access to critical resources.
Sample Scenario of RBAC
You create a project document on a shared company server and decide which coworkers can view or edit it. If you mistakenly grant access to someone outside the project, sensitive information could be exposed. In this case, the system allows the action, but the security risk comes from the user's choice and not from system enforcement.
Attribute-Based Access Control (ABAC)
If your company is using Attribute-Based Access Control (ABAC), you’ll make decisions based on multiple attributes rather than fixed roles or ownership. These attributes can include who the user is, what resource is being accessed, where the request comes from, and under what conditions the request is made. ABAC focuses on context, not just identity.
In ABAC, access requests are evaluated against policies that combine user attributes, resource attributes, environmental factors, and requested actions. The system checks all these details before granting or denying access. Because decisions are rule-based, access can change automatically as conditions change.
Strengths and Limitations of ABAC
ABAC provides very fine-grained control over access decisions. It adapts well to modern environments like cloud platforms, remote work, and zero-trust architectures. This makes it ideal when security decisions must reflect real-world context rather than static permissions. On the contrary, ABAC is more complex to design and manage compared to other authorization models. Writing and maintaining policies requires careful planning and strong governance. Without proper oversight, rules can become hard to understand and troubleshoot.
Sample Scenario of ABAC
Imagine you’re an employee who can access a sensitive database only during business hours and only when using a company-issued laptop. If you try to connect at night from a personal device, your access is automatically denied. This guarantees security decisions adjust based on real-time conditions.
Non-Discretionary Access Control (NDAC)
When using Non-Discretionary Access Control (NDAC) for your security control, you’ll notice that permissions are managed centrally by system rules or organizational policies. Individual users or resource owners do not decide who gets access. Instead, security access is determined by predefined controls set by the organization.
In NDAC, the system enforces access decisions automatically based on centrally defined policies, roles, or attributes. Users are granted permissions according to these rules, not personal judgment. This removes the ability for individuals to change access on their own, even if they own the data.
Strengths and Limitations of NDAC
How does NDAC help your organization? It improves consistency across large environments where many users and systems are involved. It reduces the risk of accidental permission changes that could expose sensitive data. This authorization model also supports the principle of least privilege by ensuring access is granted only when policy conditions are met.
Yet, NDAC may be limited and feel restrictive, especially in environments that need frequent access changes. Designing effective policies takes time and careful planning to avoid blocking legitimate work. If your organization has poorly designed rules, NDAC can slow operations or frustrate users.
Sample Scenario of NDAC
If you work in a corporate environment, HR systems are accessible only to HR staff, finance systems only to finance teams, and IT tools only to administrators, all enforced by central policy. Even if an employee creates a file, they cannot grant access outside their department. This keeps access consistent and aligned with business roles. In short, NDAC prioritizes centralized control and consistency, making it well-suited for organizations that need strong governance and predictable access enforcement.
Looking for some exam prep guidance and mentoring?
Learn about our personal mentoring
Comparing Authorization Models in Cybersecurity
Model | Flexibility | Security Strength | Complexity | Typical Use Cases |
|---|---|---|---|---|
RBAC | Medium | Medium to High | Low to Medium | Corporate environments, enterprises with clear job roles, internal business systems |
MAC | Low | Very High | High | Military, government, classified, or highly regulated systems |
DAC | High | Low to Medium | Low | File-sharing systems, personal computers, small teams, or informal environments |
ABAC | Very High | High | Very High | Cloud platforms, zero-trust environments, dynamic and large-scale organizations |
NDAC | Medium | High | Medium to High | Large enterprises need centralized control across departments |
With all the available security authorization models, there’s no single authorization model that fits every situation. Your environment, regulatory needs, risk tolerance, and scale determine which model makes sense. A combination of these is the best approach for your organization and for the CISSP exam mindset.
What is the CISSP Exam Relevance of Authorization Models?
Knowing what Authorization Models are is essential for the CISSP exam because many questions test your ability to identify which model fits a given security scenario. You need to evaluate how access decisions affect confidentiality, integrity, and availability in real-world systems. When you know the differences between RBAC, MAC, DAC, ABAC, and NDAC, you reason through questions quickly and accurately.
When approaching exam questions, look for keywords that hint at who controls access, how strict the rules are, and whether context or labels influence decisions. For example, a question mentioning military clearance levels points to MAC, while a scenario emphasizing dynamic, attribute-driven access suggests ABAC.
Similarly, if users control their own files, it’s likely DAC, and predefined roles point to RBAC. Centralized enforcement across departments would indicate NDAC. By practicing these distinctions, you build the CISSP-style thinking required to analyze access control scenarios and choose the best solution under CISSP exam conditions.
Eventually, you’ll think like a security leader who knows when each authorization model is applicable for any risk that your organization may face.
Secure Your CISSP Certification Today
For cybersecurity professionals, especially those aspiring to become security leaders, you’ll have to be prepared for accuracy. Real-world systems won’t allow mistakes or second-guesses, so knowing the strengths, limitations, and scenarios of RBAC, MAC, DAC, ABAC, and NDAC is essential.
On the CISSP exam, questions often present complex scenarios designed to confuse candidates, making it vital to differentiate concepts and apply them correctly under pressure. If you want to really get serious about your CISSP passing rate, you can join our expert-led intensive online bootcamp to master CISSP in just five days. You’ll be led by our CISSP-certified instructors who will provide direct answers to your toughest questions and guide you through complex concepts. After the course, an adaptive system helps you review only what you need, saving time and maximizing exam readiness.
For those retaking the exam, recertifying, or needing to fill knowledge gaps, the CISSP Masterclass offers a personalized, adaptive review experience. The system identifies your weak areas and adjusts content so you focus only on what you still need to learn. Each topic includes concise explanations, video lessons, flashcards, MindMap reviews, and references to popular study guides.
Certification in 1 Week
Study everything you need to know for the CISSP exam in a 1-week bootcamp!
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
The easiest way to get your CISSP Certification
Learn about our CISSP MasterClass
