Access control models: Discretionary, mandatory, role-based, and rule-based

Trusted by

Featured in


While physical security remains a priority for every business, security specialists need to ensure that strong policies do not prevent employees from accessing the spaces and resources they need to do their work efficiently.  

That makes decisions about access control important. Some areas of the business need to be easily accessible for all employees, while other areas require higher security to reduce the risk of damage or loss of property and confidential information. 

Security administrators can strike a balance by developing a set of policies using an access control system that defines individual employees’ permissions to certain areas. For example, all employees can have permission to access a building during normal business hours, but only a limited number can have permission to access a secure area, such as a server room, where highly confidential information is stored. 

The policies that determine user permissions are known as access control models. This blog describes the four most widely used access control models, then provides more detail on role-based access control (RBAC) and rule-based access control models, explaining and comparing their purpose, scope, and benefits.

Access control models and types

There are five main access control systems or models defined under different terms. Generally, the choice of models includes role-based access control, rule-based access control, discretionary access control, mandatory access control, and attribute-based access control. The type of model that will work best depends on many different factors, including the type of building, number of people who need access, permission granularity capabilities of an access control software, and level of security required.

Role-based access control (RBAC)

So, what is role-based access control? Simply put, in a role-based access control method or model, a security professional determines user permissions or user privileges based on the role of the employee. This could be their position or title within the company, or the type of employment status, such as differentiating between a temporary employee and full-time staff.

Rule-based access control (RuBAC)

With the rule-based model, a security professional or system administrator sets access management rules that can allow or deny user access to specific areas, regardless of an employee’s other permissions. 

Discretionary access control (DAC)

The decisions on user permissions are taken at the discretion of one person, who may or may not have security expertise. While this limits the number of people who can edit user permissions, this model can also put an organization at risk because the decision maker may not be aware of the security implications of their decisions. 

Mandatory access control (MAC)

In contrast, mandatory access control models give the responsibility of access decisions to a security professional who is the only person with authority to set and manage permissions and access rights. This model is often used for businesses who protect sensitive data or property, and therefore require the highest levels of security status.

Attribute-based access control (ABAC)

Attribute-based access control, also known as policy-based control, evaluates the attributes or characteristics of employees, rather than roles, to determine access. An employee that doesn’t present attributes set by the security administrator is denied access.  

When considering rule-based and role-based access control, to select the most appropriate system access, the security professional must have a full understanding of the level of risks in different areas of a property, the organizational structure, business processes, and the roles and responsibilities of all employees who require access to specific areas.

Go to Top / Get Help Today

Openpath’s flexible cloud-based software

  • Remote access management powered by cloud-based software

  • Granular and site-specific user permissions for any number of doors

  • Real-time access event tracking, visual monitoring, and alerts

  • Custom Fields and Rules Engine to support all access control models

  • Ability to edit individual users, or apply bulk changes with ease

  • Sync Openpath users with identity providers automatically

  • Automatic system updates maximize both security and uptime

What is role-based access?

This model is based on a principle known as ‘least privilege’. An employee is only allowed to access the areas or resources necessary to perform the duties associated with their role in the business. Access can be based on factors such as an employee’s seniority, job title, or responsibilities. 

For example, senior managers may be able to access most areas of a building, including secure areas. Administrative workers might only be able to access the main entrance and low-security meeting areas. Specialist employees, such as engineers, technicians, or research staff may have permissions to access restricted areas relevant to their work. 

Setting permissions to manage access rights can be more complex if an employee holds more than one role. To use an analogy from a ‘lock and key' environment, employees with a number of different roles and management responsibilities are granted the digital equivalent of a ‘bunch of keys’ to open doors to areas where they need to perform their duties. However, their ‘bunch of keys’ will not open other doors that are not relevant to their role, or give them unnecessary access. 

Setting role-based permissions 

Role-based access control builds security around an employee’s role and this can help develop strong policies in businesses with large numbers of employees. Rather than taking a discretionary access control approach to set individual permissions for a large number of employees, security administrators set permissions based on a smaller, more manageable number of roles.

Security administrators can define roles in a number of ways, including:

  • by department

  • by job title

  • by level of seniority

  • by responsibilities

  • by membership of a team

  • by level of security clearance 

A common role-based access control example would be that a software engineer role has access to GCP and AWS, while finance roles have access to Xero.

If employees are members of a group, such as a project team, they may acquire additional permissions given to the group to complete a specific task. For example, a project team might need to access a secure conference room to hold their meetings. Administrators track membership of teams, granting temporary group permissions to new members and withdrawing permissions when members leave the team or a project is complete. 

To help security administrators define roles effectively, the National Institute for Standards and Technology (NIST) has defined a set of standards for role-based access control best practices. The permissions cascade by security level:

  • Level 1, Flat: This gives every employee at least one role, which gives them basic permission to enter a building and go to their workplace.  

  • Level 2, Hierarchical: Here, senior executives have a set of permissions relating to their role and grade. They can also use role-based permissions assigned to the staff reporting to them.

  • Level 3, Constrained: Some employees may have a number of roles and related permissions. If the multiple permissions create a potential conflict of interest, the security administrator can impose a ‘Separation of duties’ rule and restrict access to minimize any security resulting from the conflict of interest. 

  • Level 4, Symmetrical: Here, security administrators regularly review permissions and may change them based on the results of the review.

Role-based access control benefits

There are role-based access control advantages and disadvantages. Set up correctly, role-based access control can provide much-needed security for a business. Here are a few of the benefits of role-based access control:

Stronger security - Role-based access control provides permissions on a need-to-know basis that only gives access to spaces and resources essential to the employee’s role. 

Reduced administration - Security administrators only have to allocate and manage permissions to a small number of roles, rather than creating individual permissions for each employee.  

Simpler moves, adds, and changes - If an employee joins the organization or changes roles, administrators simply allocate or reallocate permissions based on the employee’s new role. This can even be automated when identity providers are synced to user permissions. 

Reduced risk of error - Access permission is granted on the basis of a role with a defined security profile, rather than at the discretion of an individual who may not be aware of the security risks. 

Consistent security standards - Administrators can impose consistent standards across multiple sites by ensuring that employees’ roles always carry the same permissions, regardless of location. 

Improved productivity - Role-based permissions are aligned to the structure and strategy of the business. This ensures that the right security measures allow employees access to all the spaces and resources they need to work productively, rather than acting as a barrier. 

Maintaining compliance - By ensuring that only employees with an authorized role can access data covered by regulations, administrators can ensure that the business is compliant with any federal, state, or industry regulations.

Lower security management costs - Simpler administration, moves, adds, and changes, together with reduced risk of costs associated with security breaches or non-compliance, help reduce overall security costs. 

While there are many important role-based access control benefits, the model can prove inflexible, for example in organizations where employees take multiple roles and the composition of project teams or workgroups changes frequently. As with any type of security, improper use, lack of auditing, and not adhering to the latest access control trends can all lead to vulnerabilities over time. 

Implementing role-based access

There are a number of important steps when it comes to implementing role-based access control:

Review current access profile - List all doors or access points in the property and identify their security level from low to highest. Prepare a list of employees with access to higher-security areas. Identify any higher-risk areas that do not have a list of authorized employees. 

Create an access profile for each role - Work with HR and line managers to identify areas that each role needs to access to carry out their role.  

Document and publish roles and permissions -To ensure all employees understand their access permissions, publish the permissions associated with each role. This helps avoid any errors or misunderstandings. 

Update the access profile - Prepare a new access profile, linking access points to employee roles, instead of individual names. 

Carry out regular reviews - Gather feedback from employees and identify any access problems. Review any security issues resulting from weak access control and revise permissions if necessary.

Go to Top / Get Help Today

What is rule-based access?

Under this model, security administrators set high-level rules to determine how, where, and when employees can access spaces or resources. Administrators set a control list for each space or resource. When an employee attempts to gain access, the access control system checks the list of requirements and grants or denies access. 

Like role-based models, security administrators use rule-based access control to manage access points within a building.

However, access permissions are not related to specific roles and they can be used to override other permissions that an employee holds. For example, an HR professional with role-based permission to access a room holding personnel records may not be able to access that area if it is covered by a rule that denies access to all employees on weekends. 

Rule-based models are frequently used in conjunction with other models, particularly role-based models. This hybrid approach enables administrators to set granular rules that provide additional levels of security to meet specific types of risk. The rules in a rule-based access control example are typically based on factors, such as:

  • Time - for example, no access outside normal business hours.

  • Seniority level - for example, no access to any employee below a specified grade.

  • Threat level - for example, if other access points have been compromised. 

Each access point might have a different set of rules, and the rules can be static or dynamic:

  • Static rules don’t change, unless the administrator decides to make changes to meet emerging threats or new security requirements. For example, an administrator can change the rules applying to an area if it requires a higher level of security.

  • Dynamic rules can change under certain circumstances. For example, if the security system detects multiple failed attempts at authorization, the user can be denied access.

  • Implicit deny rules can deny access to any user who does not have specific credentials to enter an area.

Rule-based access control benefits

Stronger security -Rule-basedmodels can work in conjunction with other access control models to provide higher levels of security.

Granular control -Security administrators can set and manage many variables within rules to ensure a very fine level of control and increase levels of protection for secure areas.

Simple authorization -Access requests are checked and validated quickly against a list of pre-determined rules. 

Flexible control - High-level rules can be changed and implemented quickly across the organization without changing specific role-related permissions. 

Assured compliance - Rules can be aligned with federal, state, or industry compliance regulations to override other permissions that might compromise compliance. 

Weaknesses of rule-based access control models

Time-consuming process  - Setting and managing variables can be extremely time-consuming both for setting up the system and implementing changes.

High levels of monitoring - Administrators must continually monitor the systems to ensure that the rules are meeting their intended objectives. 

Cumbersome -In some situations, rules can prevent employees from working efficiently by restricting access to essential spaces and resources. 

Complexity - Rules can become complex if administrators apply high levels of granularity. This can make them difficult to manage and difficult for employees to understand. 

Generic - Rule-based models do not relate to individual employee’s roles and responsibilities and their need to access different spaces or resources. 

Implementing rule-based access control

There are a number of important steps when it comes to implementing rule-based access control and considering rule-based control best practices:

Review current access rules -Review the rules that apply to specific access points, as well as general rules that apply to all access points. Identify any higher-risk areas that do not have specific access rules. This should be done on a regular basis, as security vulnerabilities are constantly changing and evolving.

Analyze "what-if" scenarios - Identity potential scenarios that might require additional rules to minimize risk. 

Update or create rules -Based on the assessment, set new rules or update existing rules to strengthen levels of security. 

Avoid permission conflicts - Compare rules with permissions set by other access control models to ensure that there is no conflict that would wrongly deny access.

Document and publish rules -To ensure all employees understand their access rights and responsibilities, publish the most important rules and communicate any changes. While employees may not need to know the granular details, it’s important to make sure they understand how policy changes may affect their day-to-day operations. 

Carry out regular reviews - Conduct regular system audits to identify any access problems or gaps in security. Review any security issues resulting from weak access control and revise rules if necessary.

Go to Top / Get Help Today

Rule-based vs. role-based access control

Both models are set and managed by security administrators. They are mandatory rather than discretionary, and employees cannot change their permissions or control access. However, there are some key differences when comparing rule-based vs. role-based access control, which can determine which model is best for a specific use case.


  • Rule-based models set rules that apply, regardless of job roles.

  • Role-based models base permissions on specific job roles.


  • Rule-based access controls are preventative – they don’t determine access levels for employees. Instead, they work to prevent unauthorized access.

  • Role-based models are proactive – they provide employees with a set of circumstances in which they can gain authorized access. 


  • Rule-based models are generic – they apply to all employees, regardless of role.

  • Role-based models apply to employees on a case-by-case basis, determined by their role. 

Use cases 

Role-based models are suitable for organizations where roles are clearly defined, and where it is possible to identify the resource and access requirements based on those roles. That makes RBAC models suitable for organizations with large numbers of employees where it would be difficult and time-consuming to set permissions for individual employees. 

Rule-based operating systems are effective in organizations with smaller numbers of employees or where roles are more fluid, making it difficult to allocate ‘tight’ permissions. Rule-based operating systems are also important for organizations with multiple areas that require the highest levels of security. A role-based model on its own may not provide an adequate level of protection, particularly if each role covers different levels of seniority and different access requirements. 

Go to Top / Get Help Today

Hybrid models

Rule- and role-based access control models can be considered complementary – they use different approaches to achieve the same purpose of maximizing protection. Role-based systems ensure only the right employees can access secure areas or resources. Rule-based systems ensure authorized employees access resources in appropriate ways and at appropriate times.

Some organizations find that neither model provides the required level of protection. By adopting a hybrid model, security administrators can provide both high-level protection through role-based systems, and flexible granular control through rule-based models to deal with different scenarios. 

For areas with lower security requirements, such as entrance lobbies, administrators can provide access to all employees through the role-based model, but add a rule-based exception denying access outside business hours. 

For higher security areas, administrators can allocate permissions to specific roles, but use rule-based systems to exclude employees in a role who are only at junior level. 

A hybrid model like that provides the benefits of both models while strengthening the overall security posture. 

Go to Top / Get Help Today

Simplify door access control management

  • Easy and secure permission configuration by user role, attributes, and custom rules 

  • Set access schedules for all doors, gates, turnstiles, and elevators 

  • Ability to remotely unlock any door or activate a building lockdown

  • One mobile credential for every entry with touchless Wave to Unlock

  • Built-in biometric, MFA and video verification for high-security areas

  • Adjust access permissions at any time using a remote, cloud-based access control software

Role-based and Rule-based access control vs. attribute-based access control

In a role-based system, security administrators allow or deny access to a space or resource based on the employee’s role in the business.

In an attribute-based-system, administrators control access based on a set of approved attributes or characteristics. Although an employee’s role might form part of their attributes, generally the employee’s profile will include other attributes, such as membership of a project team, workgroup, or department, as well as management level, security clearance, and other criteria. 

A role-based system is quicker and easier to implement because the administrator only has to define a small number of roles. In an attribute-based system, the administrator has to define and manage multiple characteristics. 

However, using multiple characteristics may be an advantage for certain use cases because it allows administrators to apply a more granular form of control. 

Rule-based vs. attribute-based access

In a rule-based system, administrators allow or deny access based on a set of predetermined rules.

Conversely, attribute-based access control (ABAC) models evaluate a set of approved attributes or characteristics before allowing access. Administrators may develop a wide-ranging set of characteristics aligned to the specific security needs of different access points or resources. The biggest difference between these two types is the type of information and actions that they use to grant or deny access. Attributes are still usually tied to the employee’s personal information, such as their team, work status, or clearance. Rules, on the other hand, are often related to working hours, door schedules, devices, and similar criteria.  

Both models allow granular control of access, which is a benefit for organizations with specific security requirements. Rule-based and attribute-based models can both be used in conjunction with other models such as role-based access control. Both models can be time-consuming to implement and manage as administrators have to define multiple rules or attributes. However, rules and attributes also offer greater scalability over time.

Go to Top / Get Help Today

Key takeaways

Rule- and role-based access control are two of the most important models for determining who has access to specific areas or resources within a business. By implementing the most appropriate model, a security administrator can manage access at a high level or apply granular rules to provide specific protection for high-security areas.

Rule- and role-based access control allow businesses to utilize their security technology with a truly customized approach. By determining who has access to specific areas and resources within a business, a business is able to implement the most appropriate model and manage access at a high level, as well as apply granular rules to provide more robust protection to high-security areas. 

While both models provide effective security and strong benefits, they require different levels of effort to develop, implement, and manage access security policies. As an added bonus, rule-based and role-based models complement each other and can be deployed as a hybrid model for even stronger access control security

To take the next step in selecting the right access control model for your business, contact Openpath to arrange a security consultation. 

If you need assistance in choosing the best door access control system for your business, Openpath might be able to help. Contact us for a security consultation.

Go to Top / Get Help Today