Skip to content

Explain DAC, MAC, RBAC, and ABAC. When would you choose each?

Short answer

DAC lets the data owner grant access at their discretion; MAC enforces access centrally via labels/clearances and is non-discretionary; RBAC grants access through job roles; ABAC evaluates attributes (user, resource, environment) against policy for fine-grained, context-aware decisions.

Access control is a core CISSP domain, and this comparison shows whether you can match a model to a real environment rather than reciting acronyms.

DAC — Discretionary Access Control

The resource owner decides who gets access and at what level, typically via ACLs. It is flexible and common in commercial OSes (file permissions), but it scales poorly and is risky: a single user can over-share, and it is vulnerable to malware acting with the user's rights.

MAC — Mandatory Access Control

Access is non-discretionary and enforced by the system based on security labels (e.g. Confidential, Secret, Top Secret) compared against a subject's clearance, plus need-to-know. Owners cannot override it. It is rigid and high-assurance, which is why it dominates military, intelligence, and other classified settings.

RBAC — Role-Based Access Control

Permissions attach to roles that map to job functions; users inherit access by holding a role. It scales well in enterprises and simplifies joiner/mover/leaver changes, but suffers from role explosion when too many narrow roles accumulate.

ABAC — Attribute-Based Access Control

Decisions are computed at request time from attributes of the subject, resource, action, and environment (time, location, device posture) evaluated against policy. It is the most fine-grained and context-aware — "allow if department = finance AND on-network AND business hours" — at the cost of policy complexity. It underpins modern zero-trust designs.

What interviewers look for

Correctly identifying who controls access in each model (owner, system/label, role, policy/attributes), naming MAC as non-discretionary and label-driven, and connecting RBAC's role explosion to ABAC's flexibility — all anchored to least privilege.

Likely follow-ups

  • Why is MAC preferred in military and classified environments?
  • What is role explosion and how does ABAC help?
  • How does the principle of least privilege apply across these models?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.