Domain Access Control (DAC) vs. RBAC and MAC
Copy
DAC can either grant or elevate access levels for users in the following way:
If the User (Role, Team Member) has no access via standard permissions, DAC can be configured to provide or raise access levels using DAC Rules.
MAC can conditionally deny access even if access is granted by RBAC and DAC.
Figure 8.
RBAC assigns permissions directly on the item, which can only change with the lifecycle state (or authorized editing).
DAC assigns permissions to leaf items under a subdomain if the associated rules are satisfied. The combination of RBAC and DAC Policy is “least restrictive”, meaning either one can grant permission to the current user.
MAC imposes strict conditions on a user’s access to items by evaluating attributions on user vs. item in conditional (Boolean) expressions. If conditions are not TRUE, then access is revoked even if granted by RBAC/DAC Policies.