The 4 Main Types Of Access Control

September 23, 2022

Along with devices like security cameras and alarm systems, access control is one of the primary methods of securing a property. After all, crimes such as burglary, assault, vandalism, etc. are harder to commit if a criminal can’t gain access to a property in the first place. However, property owners are often surprised to find that there are, in fact, different kinds of access control, which are best applied in particular circumstances and further enhance the level of security present in a property.

Let’s take a look at the 4 main types of access control and the benefits that each kind offers.

How Does Access Control Work?

Before we look into the different types of access control and how they’re best applied, let’s quickly define what an access control system is and how it operates.

What Is Access Control?

Access control is a security measure that determines who’s allowed to enter a physical space, such as a building or room. Access control offers three significant advantages:

It acts as a deterrent: seeing that a building has an access control system deters some criminals from even attempting the crime they had in mind.

It’s a physical preventative measure: it prevents criminals from accessing a physical space.

It records people’s entry and exit: if a crime does take place, an access control system keeps a record – an audit trail – of who was on site when it occurred. This helps the property owner, security personnel, and, in some cases, the authorities, narrow down a list of suspects.

As well as being an important part of overall security and crime prevention, access control is also a crucial component of an organisation’s information security protocol. As companies handle sensitive data, from their customers, partners, etc, they have a legal obligation to collect and store it securely, which includes taking sufficient measures against its theft or loss. Consequently, by implementing an access control system, companies restrict who can gain physical access to sensitive data, while also implementing access control policies on their IT infrastructure to bolster their cyber security.

How Does Access Control Work?

The main principle behind access control is to have an individual prove their identity before they’re allowed to enter a physical space. Methods for proving their identity include:

●Key fobs
●Mobile devices, i.e., smartphones
●Biometrics: fingerprints, facial recognition, eye scanning

The access control system then verifies the individual’s credentials and grants them access to restricted areas on a property.

What Are The 4 Main Types Of Access Control?

Here are the four most common types of access control systems:

●Discretionary Access Control (DAC): this type of access control system grants individuals a certain level of access and allows them to pass on that access to others.

●Mandatory Access Control (MAC): this kind of access control system is controlled by a central authority, i.e., the system administrator, who solely determines the levels of access on a property. Subsequently, other personnel can’t pass on their access to others.

●Role-Based Access Control (RBAC): this sees an individual’s level of access determined by an individual’s position, and associated responsibilities, within an organization.

●Rule-Based Access Control: this sees an individual’s level of access determined by a set of dynamic rules and limitations defined by the system administrator.

Let’s now take a closer look at each of the four types of access control in turn.

What Is Discretionary Access Control (DAC)?

Under a Discretionary Access Control (DAC) system, the system administrator (the business or property owner, security manager, etc.) grants particular individuals access to parts of a property. The system is discretionary because the person granted access permissions by the administrator is then capable of passing on access to others (unless constrained by mandatory access control policies, which we’ll look at in the next section).

Examples include a residential building manager –tips for property managers passing on access permissions to their staff who are then empowered to give them to residents. Alternatively, business owners could grant different levels of access to managers who then have the ability to grant permissions to the relevant employees.

What Are The Key Features Of Discretionary Access Control?

The Ability To Delegate: The system’s administrator doesn’t have to regulate access themselves, as they can pass on some of their authority to members of their team.

  • Flexibility: As DAC systems allow users other than the administrator to determine access, they’re more flexible than other types of access control systems. This, however, also makes them less secure than alternative access control setups – namely mandatory access control systems.
  • Ease of Control: As multiple people can determine access policies, DAC systems are generally more accessible than their counterparts which are solely administered by a single person.

Additionally, when applied to purposes other than anti-theft, custom audio messages can deliver instructions. For example, you could use it to greet customers as they walk through the front door or inform someone they’re attempting to park in a space that should be kept clear.

What Are The Benefits Of Discretionary Access Control?

  • Highly Customizable: A DAC system offers a flexible approach for user authentication. The system administrator has the power to assign access rights to each employee, resident, visitor, etc. according to the processes and security needs of that particular property.
  • Faster Authentication: Because access permissions can be set by more than one person, they can be granted faster. This eliminates the bottleneck of a person having to wait to be authenticated by the system administrator – as it can be done by one of their trusted direct reports who also has the power to grant access rights.
  • Minimises Cost: As a DAC system is designed to be more dynamic and flexible than alternatives like mandatory and role-based control systems, they take less time to administer which reduces the cost of their administration. They don’t require as detailed of an initial design to correctly determine all the access permissions and don’t have to be reviewed as often.

What Is Mandatory Access Control (MAC)?

A Mandatory Access Control (MAC) system refers to an access control configuration in which all policies and permissions are determined by a single, central authority. In a MAC system, once a person’s level of access has been set, no one besides the system administrator can make change it. This is in contrast to a DAC, where other personnel with certain access privileges retain the ability to pass on certain privileges when necessary, e.g., a security guard – 12 types of guard creating key cards for residents or employees. In a MAC configuration, the system administrator is personally responsible for handling access rights.

What Are The Key Features Of Mandatory Access Control (MAC)?

  • A Single, Centralized Authority: The access rules and permissions are manually defined by the system administrator. Because all access permissions are set by a central authority, other individuals can’t set access rights for others, as is the case with discretionary access control.
  • Detailed Initial Setup: The MAC’s system administrator will need to place a lot of effort into planning the levels of access and mapping them onto an access control list (ACL.)
    Now, a downside of this approach is a lack of flexibility and a greater administrative burden for the system admin, particularly when compared to DAC systems. The trade-off of this, however, is greater security.
  • Ongoing Monitoring: A MAC system requires continuous monitoring to maintain accurate access levels for all users. As thorough as the system’s initial setup may be, situations will arise where users have the incorrect level of access, thereby increasing the administrative burden of the person in charge of the system. In organizations, in particular, it’s going to take some trial and error to ensure that employees have sufficient access and aren’t prevented from carrying out their jobs efficiently.

    What Are The Benefits Of Mandatory Access Control?

    • Highly Secure: MAC is the most secure of the four main types of access control. As a result, MAC systems are implemented on sites that place a higher priority on security than flexibility and the expense of their operations, like military bases, government buildings, banks and financial institutions.

    Single Source of “Truth”: In a MAC, for better or worse, the buck stops with the system admin. This centralizes the whole access control system and makes it easier to track any changes and, by extension, anomalies.

    • Improves Regulatory Compliance: By tightening control over who is granted access, MACsystems make it easier for organizations to meet the regulatory and standards requirements that surround data. Better still, because they’re easier to audit, MAC systems make it easy for organizations to prove regulatory compliance.

    What Is Role-Based Access Control (RBAC)?

    Role-Based Access Control (RBAC) provides access permissions based on an individual’s pre-defined position in a hierarchy. Examples include:

    Residents being granted access to certain parts of a complex, such as the building and floor on which they reside and communal areas. In contrast, they’ll be denied access to other buildings and floors on which they have no business being, as well as other areas like the roof of buildings, boiler rooms, etc.

    Conversely, the staff of a residential complex being given access to restricted areas according to their job roles, such as cleaners, maintenance staff, etc.

    Staff within a company being granted access to different areas on a commercial premises depending on their responsibilities, e.g., warehouses, stock rooms, the cash office, etc.

    Also, if you have back-to-base monitoring, false alarms usually result in false call-out charges. So, unreliable motion detectors can cost you money too!

    An active deterrent camera’s SMD functionality distinguishes between humans and objects, leading to fewer false alarms.

    What Are The Key Features Of Role-Based Access Control (RBAC)?

    Access rights in an RBAC system centre around a series of variables that are mapped to a property’s processes, functions and policies. RBAC systems are often favoured by organizations as they make it relatively simple to group people based on the places on a site that they need access to – and, by extension, the places they don’t need access to.

    The process of defining the roles in an RBAC system looks something like this:

    Define Areas That Require Access: make a list of areas on your property that people require access to.

    • Define Roles: determine how each person fits within the system hierarchy and what level of access they should have.

    Create Access Policies: Create, and document, a series of access policies for your property and map them to an access control list (ACL). Clearly documenting your ACL policies helps to ensure that everyone is clear on it and limits room for misunderstandings.

    • Monitor: Periodically observe how well the RBAC is working, while remaining open to feedback from your workforce and/or residents.
    • Adapt: Allowing your RBAC policy to evolve with the needs of your property, management processes, new security risks, emerging technologies, and legislation changes.

    What Are the Benefits of Role-Based Access Control (RBAC)?

    • Simple: Because access is based on pre-defined roles, it’s relatively simple to assign levels of access. Now, while determining the level of access for each role may take some time and consideration up-front, it’s easy to subsequently group people once they’re set.
    • Reduced Administrative Burden: RBAC systems allow system admins to implement roles globally so they can be applied to all relevant sites at once. This is especially helpful in bigger organizations with a large workforce spread across several locations. RBAC systems also allow admins to add new roles to the system or switch an individual’s role if they need to adjust levels of access. Similarly, it’s also straightforward to provide visitors, like suppliers and contractors, with pre-defined roles on an individual, ad-hoc basis.
    • Improves Compliance: Much like a MAC, with an RBAC system in place, it becomes much easier to meet regulatory requirements, because it’s straightforward to prove why certain individuals need their given level of access.

    What Is Rule-Based Access Control?

    Rule-based access control assigns access permissions to users based on a set of dynamic rules and limitations defined by the system administrator. These rules limit access based on certain conditions, such as the location, time, the device being used, etc.

    For instance, in a residential complex, access to communal areas, like pools and children’s playing areas is only permitted at certain times when staff is on hand. Outside of those times, a rule-based access control system will restrict anyone, save for certain personnel, from entering.

    What Are the Key Features of Rule-Based Access Control?

    A rule-based access control system is defined in a similar way to an RBAC system, except the system is governed by context instead of pre-defined roles. Subsequently, the process of setting up a rule-based system looks something like the following:

    • Define Areas That Require Access: Make a list of areas on your property that people require access to and the conditions under which they should be granted said access.
    • Define High-Level Rules: The system admin sets a series of high-level rules based on the specifics of what, how, where and when someone can have access.
    • Create Access Policies: Create, and document, a series of access policies based on the defined high-level rules for your property and map them to an access control list (ACL).
    • Monitor: Periodically observe how well the rules govern access while remaining open to feedback from your workforce and/or residents.

    Adapt: Allowing your rule-based policy to evolve with the needs of your property, management processes, new security risks, emerging technologies, and legislation changes.

    What Are the Benefits of Rule-Based Access Control?

    • Temporary Customisation: You can automate changes and set additional permissions for a limited time in unusual circumstances, rather than requiring your staff to track an individual’s access and remember to revoke that access later. However, only authorised personnel can change these rules, which helps to avoid issues.
    • High-Specificity: You can be as detailed as you want in how you control access, rather than providing overly broad access for too many people.
    • Compliance: By standardising and controlling the context of access to areas on your, you can better regulatory compliance requirements and prove how you’ve achieved this compliance if called to.

    The Key Differences between Rule-Based Access Control and Role-Based Access Control

    In a role-based access control system, restrictions are based around a person’s role or responsibilities, while in a rule-based access control system those restrictions are built around the context of why that individual would need access. Subsequently, rule-based systems are more flexible than role-based systems. It’s not simply a case of a person having access or not, as determined by their role, a rule-based access control grants permissions based on a pre-defined set of circumstances

    Consequently, rule-based and role-based access control systems can complement one another. While role-based access control ensures that only the right people have access to specific places on a property, rule-based access ensures that those individuals can only access areas under the circumstances the system administrators, i.e., management, have deemed best.


    Here are the four main types of access control systems:

    • Discretionary Access Control (DAC): where individuals are granted access and some can pass that access on and grant permissions to others.
    • Mandatory Access Control (MAC): where only the system administrator can grant access permissions.
    • Role-Based Access Control (RBAC): access is pre-determined by an individual’s position.
    • Rule-Based Access Control: access is pre-determined by a particular set of circumstances, such as time and location.

    If you want to discuss which type of access control system would be best for your residential complex or business, contact us for a free onsite inspection and security consultation.

    Kylie Butchard of Pacific Security Group.

    Kylie Butchard is a highly respected and experienced leader in Australia’s electronic security industry, having successfully steered Pacific Security Group for over 17 years. With a career embedded in customer service, she has consistently focused on putting people first – clients and staff. Known for her strong, resilient, positive, values-driven, consistent, and compassionate approach, Kylie ensures that her team delivers top-notch security solutions tailored to clients’ unique needs.

    Ready to Take Action?