What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $79 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Objective 1.2Critical Priority10 min read

Authorization Models

Methods for determining what authenticated users can access. Authorization models include Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Rule-Based Access Control.

Understanding Authorization Models

Authorization determines what you can do after you've proven who you are. While authentication verifies identity, authorization grants or denies access to specific resources based on permissions, roles, or policies.

Think of it like a hotel: authentication is showing your ID at check-in. Authorization is the key card that only opens YOUR room, not other guests' rooms. You're authenticated as a guest, but authorized only for specific areas.

Different authorization models suit different environments. A small business might use simple discretionary access. A military system requires mandatory access control. An enterprise typically uses role-based access. Understanding when to use each model is key for the exam.

Why This Matters for the Exam

Authorization models appear throughout the Security+ exam, especially in Domain 4 (Security Operations) which covers identity and access management. The exam tests your ability to identify which model fits a given scenario.

The most common exam scenarios involve RBAC (Role-Based Access Control) because it's the most widely used in enterprises. However, knowing MAC (Mandatory Access Control) for government/military contexts and ABAC for modern fine-grained control is equally important.

Understanding authorization also connects to the principle of least privilege—users should have minimum permissions needed for their job. This principle guides how authorization is implemented regardless of the model used.

Deep Dive

The Five Authorization Models

1. Discretionary Access Control (DAC)

•The data OWNER decides who gets access.

• Owner sets permissions on their own files/resources • Common in Windows (NTFS permissions) and Linux • Flexible but decentralized—inconsistent security possible • Users can grant access to others

*Example:* You create a document and decide which coworkers can read or edit it.

*Best for:* Small organizations, collaborative environments, user-owned data

2. Mandatory Access Control (MAC)

•The SYSTEM decides access based on labels and clearances.

• Resources have classification labels (Top Secret, Secret, etc.) • Users have clearance levels • System enforces access based on label comparison • Users CANNOT grant access to others—only administrators can

*Example:* A Top Secret document can only be accessed by users with Top Secret clearance.

*Best for:* Government, military, environments requiring strict data classification

3. Role-Based Access Control (RBAC)

•Access based on JOB FUNCTION, not individual identity.

• Users assigned to roles (Accountant, Manager, Admin) • Roles have predefined permissions • Simplifies management—change role, permissions follow • Most common enterprise model

*Example:* All users in the "Accountant" role can access financial systems.

*Best for:* Enterprises, organizations with defined job functions, scalable environments

4. Attribute-Based Access Control (ABAC)

•Access decisions based on ATTRIBUTES of user, resource, and environment.

• Evaluates multiple attributes: user department, resource sensitivity, time of day, location • Highly granular and flexible • Uses policies that combine attributes • More complex to implement than RBAC

*Example:* "Finance department employees can access Q4 reports during business hours from corporate network."

*Best for:* Complex environments, cloud systems, fine-grained dynamic access control

5. Rule-Based Access Control

•Access based on predefined RULES, typically network-focused.

• Rules define conditions for access (IP addresses, time, protocols) • Often used in firewalls and routers • "If-then" logic: If [condition], then [allow/deny] • Different from RBAC—rules, not roles

*Example:* Firewall rule: "Allow traffic from 10.0.0.0/24 on port 443."

*Best for:* Network access control, firewalls, time-based restrictions

Comparing Authorization Models

Model	Who Decides	Flexibility	Use Case
DAC	Data owner	High	File sharing
MAC	System/labels	Low	Military/Gov
RBAC	Admin (roles)	Medium	Enterprise
ABAC	Policy engine	Very High	Cloud/Complex
Rule-Based	Admin (rules)	Medium	Network/Firewall

Key Principles in Authorization

Least Privilege

•Users get minimum permissions needed for their job—no more.

Need to Know

•Access only to information required for specific tasks.

Separation of Duties

•Critical tasks require multiple people, preventing fraud.

Implicit Deny

•If not explicitly permitted, access is denied.

How CompTIA Tests This

Example Analysis

Scenario: A hospital needs to control access to patient records. Doctors should see their own patients' records. Nurses on a specific floor should see only that floor's patients. Billing staff should see financial data but not clinical notes. Access should only work from hospital network during shift hours.

Analysis: This requires ABAC (Attribute-Based Access Control) because: • Multiple attributes determine access: role, assigned patients, floor, department, location, time • Simple RBAC (role only) isn't granular enough • Access varies by multiple dynamic conditions

If the question asked for a simpler approach: RBAC could work with very specific roles (Floor 3 Nurse, Dr. Smith's Team) but becomes complex to manage.

Key insight: When scenarios describe multiple conditions and dynamic attributes, ABAC is usually the answer. When scenarios describe job functions, RBAC is typical.

Key Terms to Know

authorizationaccess control modelsDACMACRBACABACrole-based access controlpermissionsleast privilege

Common Mistakes to Avoid

Confusing RBAC with Rule-Based—RBAC assigns permissions by ROLE (job function). Rule-Based uses conditional IF-THEN rules (often in firewalls). The "R" means different things.

Thinking DAC is most secure—DAC is flexible but least secure because users control their own permissions. MAC is most restrictive, RBAC balances security and usability.

Missing that ABAC is the most granular—when a question requires complex, multi-attribute decisions, ABAC is the answer. RBAC handles roles but not complex conditions.

Forgetting implicit deny—most authorization systems deny by default. If a permission isn't explicitly granted, access is denied.

Exam Tips

MAC = Government/Military. When you see classification levels (Top Secret, Secret, Confidential), think MAC.

RBAC = Enterprise/Corporate. When you see job titles or roles determining access, think RBAC.

ABAC = Complex/Cloud/Dynamic. When you see multiple conditions (time + location + department + resource type), think ABAC.

DAC = User-controlled. When the owner decides permissions, think DAC.

Rule-Based = Firewalls/Network. When you see network conditions and ACLs, think rule-based access control.

Memory Trick

"Who Decides Access?"

•DAC = Data owner decides = Discretionary
•MAC = Mandatory system labels = Military/Government
•RBAC = Role-based = Role = Job function
•ABAC = Attributes (many conditions) = Advanced/Complex
•Rule = Rules and conditions = Network/Firewall

The Flexibility Spectrum: MAC (strictest) → RBAC → DAC → ABAC (most flexible)

•The Common Pairings:
•Government + Classification = MAC
•Enterprise + Job titles = RBAC
•User files + Sharing = DAC
•Cloud + Complex policies = ABAC
•Firewall + ACLs = Rule-based

Test Your Knowledge

Q1.An organization wants to grant access to resources based on employees' job functions. New employees receive appropriate permissions by being assigned to a group matching their position. Which access control model is being described?

Q2.A government agency requires that documents labeled "Top Secret" can only be accessed by personnel with "Top Secret" clearance. Users cannot grant access to others regardless of their own clearance level. Which model is this?

Q3.A cloud application needs to grant access based on user department, resource sensitivity level, current time, and whether the user is on the corporate VPN. Which model provides this capability?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Authentication Fundamentals Accounting and Auditing Zero Trust Overview

Ready to test your knowledge?

Practice questions on authorization models and other Objective 1.2 concepts.

Start Practice

Authentication Fundamentals Accounting and Auditing