Contents

“You Shall Not Pass!”— Well... Unless the Algorithm Likes You.

Read time: 5 mins
Last Updated on Aug. 30, 2025
Published Aug. 12, 2024
By Marc van der Woerd
Save as .pdf

Once upon a time, your job title was your golden ticket—Manager? Welcome. Intern? Nice try. But in today’s cyber jungle, that old-school “role-based” thinking is about as effective as using a screen door on a submarine.

With data breaches skyrocketing (up 68% in 2021 alone!), it’s clear that the digital bouncers guarding our sensitive info need more than a clipboard and a smile. Outdated access models aren’t just clunky—they’re a full-blown liability.

This article peeks behind the velvet rope of modern access control to reveal how today’s systems decide who gets in, who gets blocked, and who gets flagged for suspicious behavior just for logging in from a beach in Bali.

1. Your "Role" Is No Longer Enough

For decades, Role-Based Access Control (RBAC) has been the standard. It’s a system that grants access based on a user's job function or position. If you're a Product Manager, you get access to the product management tools. This model is popular for its simplicity and ease of management.

However, a counter-intuitive problem often arises as organizations scale: "role explosion." As business needs become more specific, administrators are forced to create an unmanageable number of roles for different scenarios, leading to complexity, security gaps, and administrative overload.

This is where the evolution begins with Attribute-Based Access Control (ABAC). Instead of a single, static role, ABAC uses a combination of attributes to make more granular decisions. If RBAC is like a physical key that opens every door for a "Manager," ABAC is like a smart card that only works if the person is a manager, it's between 9 AM and 5 PM, they're logging in from a company device, and they're inside the corporate network. This shift allows for dynamic policies without needing hundreds of rigid roles.

But even with granular attributes, a critical question remains: who gets to set the rules? The answer to that question reveals a fundamental paradox in security.

2. The Paradox of Freedom: Why Letting Users Control Access Can Be a Major Risk

The strategic choice between agility and control sits at the heart of access management. In a Discretionary Access Control (DAC) model, the owner of a resource has the discretion to grant access to other users. This approach prioritizes speed and flexibility, allowing teams to move quickly without waiting for centralized approval.

The major drawback, however, is the high risk of "permission sprawl" and human error. Without centralized oversight, it becomes easy to lose track of who has access to what. For example, a product manager is granted access to a dashboard for a project. Months later, after they've moved to a different product line, that access often remains in place, leaving sensitive data exposed. This isn't just an internal issue; it’s a common vulnerability when working with third-party contractors who retain access to production environments long after their contracts have ended.

This model stands in stark contrast to Mandatory Access Control (MAC), the most stringent model. In a MAC system, a central authority governs all access rights based on predefined security labels and clearance levels, prioritizing security and compliance at the cost of flexibility. This is the paradox: DAC’s freedom can lead to chaos, while MAC’s rigidity is essential for highly sensitive environments like government and military institutions.

While MAC provides rigid control, modern threats demand more than just static rules. The most advanced systems now add another layer of intelligence by asking not just who you are, but where, when, and how you are connecting.

3. Context Is Everything: "Where" and "When" Matter as Much as "Who"

The next step in the evolution of access control is to become "context-aware." This means access decisions are based on real-time environmental factors, not just a user's static identity. This is the core principle of Contextual Access Control (CAC), a model that enhances systems like ABAC by integrating real-time data into the decision-making process.

Specific examples of contextual attributes include:

  1. Time of day: Denying access to sensitive systems outside of normal business hours.

  2. Geographic location: Flagging or blocking a login attempt from an unusual country.

  3. The device being used: Requiring additional verification if a user connects from an unsecured personal device.

  4. The network: Denying access from an unsecured public Wi-Fi network.

But the true power of context is that it allows a system to dynamically assess risk. Models like Risk-Adaptive Access Control (RAdAC) use these contextual clues to adjust permissions on the fly, moving security from a static checklist to a dynamic, risk-based decision engine. An access attempt from a known device on the corporate network might be seamless, while the same user logging in from a new country on a public network might be blocked or challenged with multi-factor authentication.

This real-time context provides powerful, dynamic security. But what if we could model access in a way that intuitively understands our organization's structure from the ground up? This is where the future of access control lies—not in rules, but in relationships.

4. The Future of Access Is About Relationships, Not Just Rules

A fundamentally different and modern approach to authorization is emerging: Relationship-Based Access Control (ReBAC). Instead of relying on static roles or attributes, ReBAC determines access based on the relationships between users and resources, modeled as a graph.

Think of it like a social network for permissions. You can see a file not because you have the "editor" role, but because you are a "member" of the project team that "owns" the folder the file is in. Access is determined by your connections, not by a static label.

For example, your ability to view a file in an object store might depend on your relationship to the folder that contains it. For example, if you’re a viewer of a folder, you can access files within it. This relationship-based approach naturally handles hierarchical structures and complex permission scenarios.

This relationship-based model elegantly solves the "role explosion" problem that plagues traditional RBAC systems. Instead of creating hundreds of brittle roles, permissions are a natural outcome of the organizational graph, scaling intuitively as the organization grows.

Are Your Gates Ready for the Future?

The world of access control is evolving from simple, static rules to dynamic, intelligent systems. Modern security no longer asks just "who" is trying to get in, but also considers the full context of the request and the intricate relationships between users and data. This shift from static identity to dynamic context provides far more granular and effective protection against increasingly sophisticated threats.

This raises a critical question: As the lines between our networks, devices, and data blur, is your organization's access control model an enabler of secure productivity or its biggest vulnerability?

back to more articles

security   ABAC   ACM   Access Control Model   Attribute-Based Access Control   CAC   Central Authority   Context-Aware Access   Contextual Access Control   DAC   Discretionary Access Control   Dynamic Security   Granularity   MAC   Mandatory Access Control   Permission Sprawl   RAdAC   RBAC   ReBAC   Relationship-Based Access Control   Risk-Adaptive Access Control   Role-Based Access Control   Security Paradox   data breach   role explosion   secure engineering   security architecture   2024  
ad sample
The 10 Most Popular Article Categories