█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Access Control Models
40 minIntermediate

Access Control Models

After this lesson, you will be able to: Apply RBAC, ABAC, and least privilege to design a real-world access control scheme.

Once you know who the user is, you have to decide what they can do. This lesson covers the two main authorization models. RBAC and ABAC, and how to apply least privilege to a small organization.

Prerequisites:Multi-Factor Authentication

Role-Based Access Control (RBAC)

RBAC groups permissions into roles (Admin, Editor, Viewer) and assigns roles to users. It's simple, scales to thousands of users, and is the default in almost every SaaS product. The cost: roles get bloated over time, and edge cases force role explosion ('Editor-but-can't-publish-on-Fridays').

Admin
  • ·Manage users
  • ·Edit content
  • ·View content
Editor
  • ·Edit content
  • ·View content
Viewer
  • ·View content
Under RBAC you assign users to roles, and the role carries the permissions. Change the role once and every user in it updates.

Attribute-Based Access Control (ABAC)

ABAC evaluates rules against attributes of the user, resource, action, and context. Example: 'Allow if user.department == file.department AND time is during business hours AND user.country == 'US'.' Far more expressive than RBAC, but harder to audit and slower to evaluate. AWS IAM policies are a good real-world ABAC example.

💡 When to use which

Start with RBAC, it's clearer and easier to audit. Switch to ABAC (or hybrid) only when role explosion gets painful or when you need context-aware rules (location, time, sensitivity).

Design exercise: a school's access scheme

Imagine a school management system. Map out the roles you'd need.

  1. 1

    List the user types: students, teachers, principals, IT staff, parents

  2. 2

    List the resources: grades, attendance, financial records, lesson plans

  3. 3

    For each user × resource pair, decide: Read, Write, both, or neither

  4. 4

    Group users with the same access into a role

  5. 5

    Identify any role that needs a context rule (e.g., teachers can only see grades for students in their class)

The hidden third model: ReBAC

Relationship-Based Access Control checks 'is this user related to this resource?' (e.g., the resource's owner, a member of its group). Google Drive uses ReBAC, your access depends on whether someone shared the file with you. ReBAC is rising in popularity because most real apps think in terms of relationships, not roles.

Quick Check

Which model fits best?

A hospital wants to allow doctors to access only patients assigned to them. Which model best fits?

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Multi-Factor Authentication
Back to Identity and Access Management
Directory Services and SSO→