main types you should know (especially for CISSP):
| IAM Scheme / Model | Full Name | How Access is Granted | Best Used For | Key Characteristic |
|---|---|---|---|---|
| DAC | Discretionary Access Control | Owner of the resource decides | Small companies, file sharing | Flexible but less secure |
| MAC | Mandatory Access Control | Based on security labels & clearances | Government, military, high security | Very strict & rigid |
| RBAC | Role-Based Access Control | Based on user’s job role | Most commercial organizations | Consistent & scalable |
| ABAC | Attribute-Based Access Control | Based on attributes (user, resource, environment) | Complex, dynamic environments | Very flexible |
| ReBAC | Relationship-Based Access Control | Based on relationships (e.g. Facebook) | Social apps, modern cloud | Relationship-focused |
**Excellent question.**
### What is an **Identity and Access Management (IAM) Scheme**?
An **IAM Scheme** (also called **Access Control Model** or **IAM Model**) is a **framework or methodology** that defines:
– How **identities** (users, devices, applications, etc.) are created, managed, and verified.
– How **access rights** and permissions are assigned, enforced, and revoked.
In simple terms:
It answers the question → **“How does the organization decide who can access what, and how is that decision made consistently?”**
### Core Components of an IAM Scheme
An IAM scheme typically includes:
1. **Identification** – Who are you? (e.g., username, employee ID)
2. **Authentication** – Prove you are who you say you are (password, MFA, biometrics)
3. **Authorization** – What are you allowed to do? (permissions, roles, rules)
4. **Accountability** – Logging and auditing what you did
### Common IAM Schemes / Access Control Models
Here are the main types you should know (especially for CISSP):
| IAM Scheme / Model | Full Name | How Access is Granted | Best Used For | Key Characteristic |
|————————–|—————————————-|—————————————-|———————————–|—————————–|
| **DAC** | Discretionary Access Control | Owner of the resource decides | Small companies, file sharing | Flexible but less secure |
| **MAC** | Mandatory Access Control | Based on security labels & clearances | Government, military, high security | Very strict & rigid |
| **RBAC** | Role-Based Access Control | Based on user’s job role | Most commercial organizations | **Consistent & scalable** |
| **ABAC** | Attribute-Based Access Control | Based on attributes (user, resource, environment) | Complex, dynamic environments | Very flexible |
| **ReBAC** | Relationship-Based Access Control | Based on relationships (e.g. Facebook) | Social apps, modern cloud | Relationship-focused |
### Why Organizations Choose One IAM Scheme Over Another
When Cassandra is deciding which IAM scheme to implement, the **deciding factor** is usually:
– **Consistency** (as we discussed earlier)
– Scalability
– Operational effort
– Security requirements
– Regulatory compliance
– Business needs
For example:
– A bank might choose **RBAC** because it is consistent and auditable.
– A cloud-native tech company might choose **ABAC** because it is more dynamic and context-aware.
—
### Simple Real-World Example:
Imagine a company with 5,000 employees.
– **Bad IAM Scheme**: Every manager manually gives permissions to every employee individually (inconsistent and chaotic).
– **Good IAM Scheme** (e.g., RBAC): HR assigns a “Finance Analyst” role, and the system automatically gives the correct permissions to everyone in that role.
Would you like me to explain any specific IAM model in more detail (especially RBAC or ABAC), or show you how they compare in terms of advantages and disadvantages?