Gary's Stock Room Problem.
Coffee beans vanishing. Milk going missing. Someone nicked the good biscuits. Gary tries five different approaches — week by week — until Sarah arrives with the answer.
Gary's stock room keeps getting raided. He needs to control who goes in. He tries five different approaches — each one fails or succeeds in its own way.
Week 1. Gary puts a sign on the door: "MY ROOM. I DECIDE." He gives his mate Steve a key. Works fine — until Steve gives a copy to his mate Barry, and Barry gives one to his girlfriend, and now half of Cipher Lane has a key to Gary's stock room. Gary didn't approve any of them.
That's DAC — Discretionary Access Control. The owner controls access and can share it freely. Flexible, but messy — people pass access along and you lose track. Linux file permissions are DAC. chmod 777 is Gary giving everyone a key.
Week 2. The council steps in. They stamp every item with a coloured sticker — red items (secret recipes) top shelf, orange items (financials) middle, green items (napkins) bottom. Staff get matching wristbands. Green wristband? You can only touch green items. The sticker won't come off. The council controls the labels. Not Gary. Not anyone.
That's MAC — Mandatory Access Control. The system decides. Even the owner can't override it. Military classification is MAC. Bell-LaPadula (confidentiality): no read up, no write down. Biba (integrity): no read down, no write up — the inverse.
Week 3. Gary ditches the stickers and creates name badges instead: "Barista," "Manager," "Cleaner." The stock room door scans the badge and checks the role. All baristas get the same access. When Gary promotes his cleaner to barista, he just swaps her badge — instantly she gets every barista door.
That's RBAC — Role-Based Access Control. Users get roles. Roles get permissions. Change the role, change all the permissions at once. Most common in enterprise.
Week 4. Gary gets paranoid. He installs a smart lock that interrogates you: "What's your role? What time is it? Are you inside the building? How much stock is left? Is there a security alert active?" ALL conditions must pass before the door opens. It's 9pm, the manager swipes her badge — normally she'd get in, but the smart lock says: "It's after hours AND you're connecting from an unfamiliar IP AND the threat level is elevated. Denied."
That's ABAC — Attribute-Based Access Control. Decisions based on multiple attributes checked in real time. The most flexible model. Zero trust architectures use this.
Week 5. Gary gives up on smart technology and sticks a laminated sheet to the door: "Badges 001-010: ALLOWED. Badges 011-020: DENIED. Sundays: LOCKED. After 6pm: LOCKED." No roles, no labels, no attributes — just a flat list of rules. That's Rule-Based access control. It's how firewalls work — a list of allow/deny rules checked top to bottom.
After five weeks, Sarah sticks her head in: "Gary, whatever system you pick — give people the absolute minimum they need to do their job. The cleaner doesn't need access to the recipe shelf. The barista doesn't need the financial records. Nothing more."
That's least privilege. The golden rule that applies to every model. Always. Non-negotiable.
Rule-Based and RBAC sound identical. They are completely different things. Rule-Based is a laminated list on the door. RBAC is name badges. Do not confuse them on the exam. — Story 08 · Access Control