MAC & RBAC question

Can anyone help with a question about "rule-base access control"?
I have some sources that lump it under RBAC, and other sources that lump it under MAC. Which is it? Can it be both?
Oddly enough, these are standard study books, like Syngress, ExamCram, & Mike Meyers. You would think that they would agree.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sprkymrk

RBAC is the acronym for both Rule Based and Role Based Access Control. MAC is a different category altogether (Mandatory Access Control).

For the purposes of the Security+ exam, don't worry too much about Rule Based Access Controol, except to remember that it is generally used in reference to Firewalls, Routers, and other network devices.

Unless otherwise stated, assume RBAC refers to Role Based Access Control which is considered better security than DAC (Discretionary), but less secure than MAC.

Webmaster

Vogon Poet wrote:

Can it be both?

Exactly. I mentioned Role Based Rule Based Access Control in my TechNotes. It can be mandatory as well, if you would do some research, you'll find that it's more commonly considered MAC, simply because an admin sets the rules. Based on those rules, users can be assigned roles automatically. As Sprkymrk mentioned, you only need to worry about MAC, DAC and RBAC and it's good to know of rule based access control. If you really want to go further into the topic, I suggest reading one of the free CISSP studyguides/chapters about access control models. It goes a lot further but it will make a lot more sense than just reading the basics of the basics.

What important to keep in mind, just as with the OSI model, is that these are models. Real systems use characteristics from these models, or a combination of them, but usually don't map exactly to one particular model.

Oddly enough, these are standard study books, like Syngress, ExamCram, & Mike Meyers. You would think that they would agree.

That's exactly what they are not: "standard". What even more odd to me is that they obviously don't consult 'the standards' either. When CompTIA released Security+ there was a race amongst authors to produce a study guide a fast a possible, so quality came second. It has and will improve over the years, but the best thing to do is google every topic and read about it in article, whitepapers, product docs etc.