A mandatory access control (MAC) policy is characterized by information classification and user clearance levels.
MAC policy dictates that a user cannot change the security permissions or configuration.
MAC policy is layered and is also referenced as a “latticed” approach.
A discretionary access control (DAC) policy is characterized by a user's ability to pass on permissions.
A DAC policy also identifies the owner of information. The owner has control over who gets permissions to the object and what those permissions will be (hence, the owner's discretion).
A role-based access control (RBAC) policy identifies users in the company based on a job function or logical business grouping. Permissions are granted to the group and ...