Access control model

An access control model is a structured framework within Identity & Access Management (IAM) that defines how subjects — such as users, applications, or processes — are granted or denied permission to interact with objects like data, systems, or network resources. It establishes the policies, rules, and mechanisms that govern authorization decisions, ensuring that only authenticated and properly authorized entities can perform specific actions. Common examples include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC), each applying different criteria such as organizational roles, user attributes, or security clearance levels to determine access rights.

By systematically defining who can access what and under which conditions, access control models are essential for enforcing core security principles like least privilege and separation of duties. An effective model minimizes the attack surface, protects data confidentiality, integrity, and availability, and supports regulatory compliance. It provides a consistent, auditable approach to authorization across an organization's digital environment, helping prevent unauthorized access, data breaches, and information disclosure.