Mastering Access Control: 5 Core Permission Models and Practical RBAC Design

Access control restricts what users can see and do in an application. This guide introduces five mainstream permission models and shows how to apply them in real systems.

ACL : Access Control List – each object has a list of subjects and allowed actions.

DAC : Discretionary Access Control – subjects can grant their own permissions to others.

MAC : Mandatory Access Control – access depends on matching security labels of subjects and objects.

ABAC : Attribute‑Based Access Control – decisions are based on subject, object, environment, and action attributes.

RBAC : Role‑Based Access Control – permissions are assigned to roles, and users acquire permissions through role membership.

ACL Model

Each object maintains a list of subjects that can perform specific actions. Simple but becomes hard to manage when many subjects exist.

DAC Model

Extends ACL by allowing subjects to delegate their permissions to others, enabling permission propagation.

MAC Model

Uses security labels for both subjects and objects; access is granted only when the labels satisfy predefined rules, common in high‑security environments.

ABAC Model

Evaluates dynamic attribute expressions to decide access, supporting fine‑grained policies. Attributes include subject attributes (e.g., age), object attributes (e.g., document type), environment attributes (e.g., time), and action attributes (e.g., read/write).

RBAC Model

Core idea: users are linked to roles, and roles aggregate permissions. RBAC consists of three elements: users, roles, and permissions.

RBAC Extensions

Four levels exist:

RBAC0 : Basic many‑to‑many user‑role and role‑permission relationships.

RBAC1 : Adds role hierarchy, allowing child roles to inherit parent permissions.

RBAC2 : Introduces constraints such as mutually exclusive roles and role cardinality limits.

RBAC3 : Combines hierarchy and constraints for a comprehensive model.

Practical Permission Management in Systems

Effective permission design comprises three parts: user management, role management, and permission management.

User Management

Map each employee to the organizational structure, considering data sharing across departments.

Role Management

Define stable roles based on business needs, support automatic assignment of base roles, temporary roles with expiration, virtual roles for special permissions, and whitelist/blacklist mechanisms.

Permission Management

Control is applied at three levels:

Page/Menu permissions – hide UI elements for unauthorized users.

Operation permissions – restrict CRUD actions on specific data.

Data permissions – enforce row‑level and column‑level access, often via rule‑based configurations.

Best Practices

Keep the permission system simple and clear from the start; avoid unnecessary roles and complex logic to prevent future chaos. Use a “no‑access” page instead of generic 404 errors to improve user experience.