| Access Control Basis |
Based on identity of the requester and the discretion of the owner |
Based on classifications and security clearances |
Based on roles within an organization |
Based on attributes (user, resource, environment) |
| Access Decision |
Owners of the resource decide who can access it |
System-enforced, not changeable by users |
Access based on roles and their permissions |
Decisions based on a set of policies involving attributes |
| Flexibility |
Highly flexible with individualized control |
Less flexible, focuses on classification levels |
Moderately flexible, easy to manage |
Highly flexible and granular |
| Complexity |
Can become complex with many users and permissions |
High, due to strict policy enforcement |
Medium, depends on roles and permissions setup |
High, due to complex policy definitions |