Blog article

Access Control Models Explained: A 2023 Guide

There are several ways to control access to your company resources. This article explains the main access control models and how they work.

Petr Pecha


Min read

Elevate your network security with GoodAccess

Would you want anyone to be able to access your office building? Imagine the security risk this would pose.

The same can be said for your business systems and networks. If anyone can access them, you have no way of controlling what happens to your sensitive data.

If you do not have some level of security in place to protect your business, it becomes easy for hackers to infiltrate it.

Unprotected business systems are vulnerable to cyberattacks of all kinds, including:

Phishing attacks: This is usually when a suspicious link is sent to someone in your company asking them to enter their personal information and login credentials. Hackers can then use this information to get inside your systems.

Malware attacks: This is when malicious software (malware) infects your network and cripples your operations.

❌ Ransomware: This is when hackers hold your sensitive data to ransom, demanding a fee for the safe return of your information.

❌ Insider threats: These are attacks caused by the actions of employees or ex-employees, who may have ill intent toward your company.

These security threats might sound far-fetched, yet 40% of small businesses worldwide have suffered at least one of these attacks in the last year.

Access control is an effective solution to protect your company from cyberattacks and to ensure only the right people can access your network.

In this article, we will discuss:

➡️ What access control is.

➡️ The various types of access control.

➡️ How these types of access control can protect your business.

Table of contents

What Is Access Control?

Access Control Models and Types

How GoodAccess Uses Access Control to Protect Your Business

Wrapping Up on Access Control Models

What Is Access Control?

Having an access control model in place ensures that only authorized users—your employees—can access resources related to your business.

Your business resources can include:

👉 Devices such as laptops and smartphones.

👉 Software and applications.

👉 Hardware such as routers and printers.

👉 Servers.

👉 Devices like NAS where private data is stored.

👉 Files and other data.

If you want to protect these resources, it is a good idea to implement an access control model within your business.

🔑 Entering Your Residence

Access control within a business is similar to how you would access your private residence.

You get exclusive access to the residence by having a physical key. Only those who have this key can enter the building.

Similarly, access control models ensure that only people with the key can access your business resources.

How does access control work?

As the name suggests, access control allows you to control who accesses business resources based on several factors.

Access control requires your employees—or authorized users—to provide some sort of proof of their identity, which is usually done through a login ID and a password.

🔑 The Residence Key

In our private residence example, the ID and password required to access your business resources would work similarly to the physical key you would need to access the building you reside in.

Access control also enables you to limit the resources that each employee can access to only those that they need to do their job. This is called access permissions.

For example, a marketing assistant would have access permissions to your marketing materials and campaign reports, but you would not want them to access your financial records.

🔑 Limiting Access to Your Home

You can limit who enters your private residence by only giving keys to those allowed entry to  your home, such as your family members and perhaps your cleaning service.

However, you would not want your work colleagues, for example, to be able to enter your private home as they please. They do not need access to your home.

This is exactly how access control works when restricting access to your business resources.

This model puts you in the driver’s seat as you can control access to your resources, preventing unauthorized use and harmful cyberattacks.

Physical Access Control Vs. Logical Access Control Methods

The access control models covered in this article use physical or logical access control—or both—to function.

Physical access controls focus on securing physical resources such as buildings, rooms, or equipment. It uses physical barriers to prevent unauthorized access to locations.

In physical access control, the physical security of your locations is protected by using systems like a radio frequency identification tag that your employees would need to access your office building.

A logical access control method focuses on securing your digital resources, such as your computers, data, various operating systems, and applications.

It is worth noting that these two types of access control are often used together to provide comprehensive security for businesses.

Why should I use access control in my business?

Access control models are particularly important if you store sensitive customer information on your systems.

A cyberattack that puts this customer information in a hacker's hands could be detrimental to your business.

You also need to ensure that each employee has access only to the resources they need to do their job.

Additionally, if you have remote employees who need to access your resources, access control is an excellent way to protect your business against the types of threats that emerge from remote working and reduce their impact.

Access Control Models and Types

Now that you know what access control entails, let us unpack some of the most popular types of access control models available to your business.

There are three main types of access control:

👉 Discretionary access control (DAC).

👉 Role-based access control (RBAC).

👉 Mandatory access control (MAC).

However, there are other access control models to explore, too:

👉 Rule-based access control (RBAC).

👉 Attribute-based access control (ABAC).

In this article, we will investigate all five types so you can choose the best access control model for your business.

➡️ Discretionary access control (DAC)

Discretionary access control is the least restrictive model compared to the others we will discuss.

How it works

In this model, the owner of a business resource provides user access to other employees.

A resource owner could be your head of finance, for example. In this case, they could give their team access to a file where financial information is stored.

This means that this head of department is in complete control of the resource and can assign or revoke access permission to whomever they like at their discretion.

The owner of the resource can also control the level of access that each employee has. In the  example above, your head of finance may want accounting interns only to be able to view the file rather than edit it.

Typically a resource owner only has access to a selection of resources, not your entire business.

This method uses access control lists (ACLs) that specify a list of rules and what actions each user can perform on a resource.

The advantages

👍 A discretionary access control model is useful when a resource owner wants to let select employees access a private file.

👍 The resource owner can also revoke access to the file if they want to.

The disadvantages

👎 Your resource owner can configure access control and set security level settings for any other user in your company. This gives the individual complete control and leaves plenty of room for error.

👎 It is possible that resource owners may not be focused on security and, as a result, human error could occur that ends up in a malware infection.

➡️ Role-based access control (RBAC)

In a role-based access control model, the owner of a business—or your system administrator—can decide who has access to each resource based on their role within the company.

Role-based access control is a simple and effective way to manage access control within your organization by assigning permissions based on job responsibilities.

This model also uses access control lists.

How it works

In role-based access control systems, each role within your business has defined and specific permissions and access levels.

When you hire a new employee, the necessary permissions would be instantly assigned based on the resources needed to do their job.


👍 A role-based access control system simplifies access control management by grouping your employees with similar roles together and granting access based on their job functions.

👍 This access control model reduces room for error by ensuring that permissions are assigned based on pre-defined roles, rather than being based on each individual employee.


👎 Role-based access control can be complicated to implement as it requires business owners or system administrators to analyze job functions and conduct thorough testing to ensure the model works.

👎 You may require additional resources, including hardware and software, to enable role-based access control within your organization.

➡️ Mandatory access control (MAC)

Mandatory access control models give the responsibility of access permission to one single person, such as a business owner or system administrator.

This person is responsible for access control throughout the entire organization.

How it works

The nominated individual—such as your system administrator—has the authority to set and manage all access rights.

They determine rules—or security policies—regarding who should access your business resources.

The access permissions are typically ranked in an ascending order of security clearance, such as you would see in government files; e.g. public, confidential, secret, top secret.

In business network application, you can encounter this model in company Wi-Fi with different access levels: guest, employee, manager, admin.

When an employee attempts to access a resource—also known as generating an access request—the mandatory access control system checks their permissions against who is allowed to access the resource.


👍 Mandatory access control provides a high level of security and control over who accesses your resources. This makes it harder for someone to gain unauthorized access to your resources.

👍 This access control model also reduces the risk of sensitive information falling into the wrong hands, as it ensures employees only have access to the resources they need.


👎 Mandatory access control can be quite complex to implement within a company, especially if you have many employees and resources.

👎 This model is inflexible as it uses pre-defined rules. This would not be suitable for businesses where job roles are dynamic or where access permissions need to be changed regularly.

➡️ Rule-based access control (RBAC)

The rule-based access control model involves resource access based on a set of rules.

You can allow or deny access based on a set of rules developed in advance—either by you or your security administrators.

How it works

Within the rule-based access control system, a set of security policies need to be defined, which are then enforced by your system administrator.

These policies determine which job roles need access to certain resources, just like the types of access control models explained above.


👍 Rule-based access control is a relatively simple way to implement access control in your business. The pre-defined rules in this model make it easy to maintain and manage who is allowed access to your systems.

👍 This access control model is flexible because rules can be defined based on varying criteria.


👎 It might be difficult to define pre-determined rules, particularly when it comes to large companies with specific access requirements and many employees.

👎 Rule-based access control does not consider the context in which access is being requested. It cannot consider the location of the user, for example, which may be important for some companies.

➡️ Attribute-based access control (ABAC)

Last on our list is attribute-based access control, also known as policy-based access control.

This model is usually used within businesses that deal with significant amounts of sensitive information and require high levels of security.

How it works

Granting or restricting access is based on the attributes of an employee, the resource, and the environment.

💡 Attributes: A piece of information that describes or identifies your resource. It can also describe an employee's attributes, such as their username, password, or even their fingerprints.

💡 Environment: The user’s job function, department, or location.

How it works

A resource might have an attribute that states that only marketing team employees can access a certain file.

When an employee tries to access this file, the attribute-based access control system checks their attributes against the resource.


👍 This access control method is context-aware, meaning it takes information like locations, devices, and time into consideration when assigning user access to resources.

👍 The model can easily be scaled to accommodate your business as you grow.


👎 There are some security risks associated with this type of access control model—for example, if attributes are not managed or defined properly, hackers may be able to copy attributes and gain access to your resources.

👎 This access control model can affect the levels of performance within your organization, as the evaluation of your attributes and policies is time-consuming.

How GoodAccess Uses Access Control to Protect Your Business

As a zero-trust network access (ZTNA) solution with your best interests at heart, we have designed our product to include access control.

Our priority is to increase your company’s security, and we do this by setting up access control for members and systems within your secured environment.

When using GoodAccess, you can manage who can access your business resources by giving each member of your team access permissions quickly and easily.

We use the mechanism of virtual access cards to determine which employees can access your resources, making it easy to group access to your systems depending on the user role the access card is assigned.

🔑 GoodAccess and Your Private Residence

With GoodAccess, you can manage exactly who receives keys to your private residence. In this scenario, you can think of our access cards as a key.

You also control who can access each room in the building, providing an added layer of security.

With GoodAccess you don’t need any additional hardware or a trained IT specialist. Everything is delivered as a cloud service.

Wrapping Up on Access Control Models

Now that you know what security models are available to you, you can decide on the best access control model for your business.

The best access control method for you depends on your specific needs, whether or not you have security administrators to implement your chosen model, and the number of employees you have.

If you want to secure your business against damaging cyberattacks and keep your private information safe, implementing access controls in your company is imperative.

Much like a key 🔑 manages access, the right security model will restrict access to your resources, ensuring that no unauthorized users can get into your business.

We know that access control systems are effective at keeping businesses secure. That’s why we have integrated an access control method in our product so that you can easily and effectively define access control rules.

Visit our website for a product tour and learn more about our cloud VPN for businesses like yours.

Let’s get started

See why your peers choose GoodAccess. Create your free account today and enjoy all premium features for 14 days, hassle-free.
Trusted by 1300+ customers