Certified - CompTIA Cloud+

Access control models define how permissions are assigned, enforced, and managed within a computing environment. In cloud security, these models determine who can access which resources and under what conditions. Different access models offer distinct approaches to granting and revoking permissions, with trade-offs in flexibility, security, and administrative effort. Understanding these models is essential for anyone pursuing the Cloud Plus certification, as they directly impact how systems are secured and how users interact with resources across cloud platforms.
Each access control model takes a different stance on who has authority over permissions. In discretionary models, users have the ability to control access to their own resources. In non-discretionary models, administrators manage access through centrally defined roles or policies. In mandatory models, access is determined entirely by system-enforced rules, independent of user or administrative discretion. These three approaches—discretionary, non-discretionary, and mandatory—are each represented on the Cloud Plus exam and tested through scenario-based questions.
Discretionary access control, or DAC, is the most flexible of the three models. It gives data owners the power to grant or revoke access to their files, folders, or applications. This is typically implemented through access control lists or file-level permissions that the user can configure. DAC systems are common in personal and small business environments where centralized control is less critical. On the exam, DAC may appear in questions involving user-managed file sharing or uncontrolled collaboration scenarios.
One of the key advantages of DAC is user empowerment. It allows individuals to collaborate freely by deciding who can access their content. This flexibility makes DAC suitable for environments with informal workflows, ad-hoc projects, or peer-to-peer sharing models. It is also relatively easy to implement and manage in small-scale environments. However, candidates must also recognize that DAC’s strength in flexibility is also its greatest weakness in terms of security consistency.
The primary weakness of DAC lies in its lack of oversight. Since users are responsible for managing access to their own data, they may inadvertently grant access to unauthorized users or fail to revoke access when it is no longer needed. This lack of centralized control increases the risk of privilege escalation and insider threats. Cloud Plus exam questions may highlight security failures caused by DAC misconfiguration or ask how to reduce the risks associated with user-managed access.
In contrast, non-discretionary access control relies on central administrators to define and enforce access rules. Access decisions are based on roles, policies, or rules rather than user discretion. This model is ideal for environments that require consistent access policies and formal oversight. Non-discretionary systems include role-based access control and rule-based access frameworks, both of which are commonly supported by cloud identity and access management platforms.
The strengths of non-discretionary models are rooted in consistency and accountability. Because access is managed centrally, administrators can enforce uniform policies across all users and systems. This reduces the chances of accidental access exposure and simplifies compliance with internal and external security frameworks. Cloud Plus covers non-discretionary models extensively, especially in relation to enterprise cloud environments where scale and control are critical.
Role-based access control, a type of non-discretionary model, assigns users to roles that contain predefined permissions. Administrators manage both the creation of roles and the assignment of users to them. This ensures that access is aligned with job responsibilities and simplifies onboarding and offboarding. The Cloud Plus exam may ask candidates to distinguish role-based systems from discretionary ones by identifying whether permissions are controlled by the user or by an administrator.
Mandatory access control, or MAC, represents the most rigid and security-focused of the three models. In MAC systems, access decisions are made by the system itself based on predefined policies and classifications. Neither users nor administrators have the ability to override these rules. MAC is typically used in high-security environments such as military, government, or financial systems where strict data classification and access compartmentalization are required.
MAC systems rely on security labels that define the sensitivity of data and the clearance levels of users. For example, a file may be labeled “Confidential” and only accessible to users with a matching clearance level. Additionally, access is often restricted based on the principle of need-to-know. Cloud Plus may include questions that require identifying whether a scenario calls for MAC, particularly when the situation involves highly classified or regulated information.
While MAC offers the highest level of control and resistance to user error or misconfiguration, it comes with significant limitations. These systems are often inflexible, difficult to manage, and resource-intensive to maintain. They may not be appropriate for dynamic environments where agility and user autonomy are valued. Candidates must understand when MAC is justified and when it may be too restrictive for the organization’s operational model.
Comparing the three models highlights their distinct approaches. DAC is user-driven and offers the most flexibility but the least security oversight. Non-discretionary models are administrator-driven and support standardization across the organization. MAC is policy-driven and enforces the strictest security controls but sacrifices adaptability. The Cloud Plus certification may present scenarios involving different risk levels, user roles, or compliance requirements and ask candidates to choose the most appropriate access model based on those factors.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prep casts on Cybersecurity and more at Bare Metal Cyber dot com.
Choosing the right access control model requires a clear understanding of the organization’s risk profile. High-risk environments dealing with sensitive or regulated data are better served by non-discretionary or mandatory access controls. These models provide consistent enforcement and auditability. On the other hand, low-risk or informal settings may tolerate the flexibility of discretionary access control. The Cloud Plus certification frequently presents scenarios involving different data sensitivity levels and asks which access model best aligns with the security requirements.
Many organizations implement hybrid access control models that combine elements from different systems. For instance, a platform may use role-based access control as the primary model while allowing users to share documents using discretionary rules. This hybrid approach balances security with operational flexibility. Candidates must be able to recognize when a hybrid model is appropriate and understand the implications of blending centralized and user-driven permission strategies.
Discretionary systems are particularly vulnerable to policy drift, where permissions change over time in ways that deviate from security policy. As users grant and revoke access informally, the system can accumulate excessive or inconsistent permissions. This is especially problematic in environments without regular audits. Cloud Plus may test how to manage DAC environments through policy reviews, highlighting tools and techniques to detect and correct drift.
In non-discretionary environments, change management is essential. Updates to roles, rules, or access logic must follow strict procedures, including approval workflows, documentation, and stakeholder communication. Failing to manage change correctly can result in broken access, service interruptions, or unintentional privilege escalation. The certification may include questions that describe access failures due to uncoordinated role changes, asking candidates to identify the procedural breakdown.
Cloud platforms offer varying levels of support for different access models. Role-based access control is widely supported and often implemented by default in Infrastructure as a Service, Platform as a Service, and Software as a Service environments. Some platforms also support attribute-based access control or tagging-based policies that can approximate mandatory controls. Understanding what each platform offers is key to choosing a model that aligns with the organization’s technical ecosystem. The exam may present platform capabilities and ask which model best fits the environment.
Compliance frameworks often dictate which access control models are required. For example, financial or government environments may mandate MAC or RBAC to meet regulatory obligations. Candidates must be able to interpret these requirements and apply the correct access model to maintain legal and contractual compliance. The Cloud Plus certification includes regulatory mapping scenarios, where access control decisions are tied directly to frameworks like GDPR, HIPAA, or SOX.
Regardless of the model used, user education is critical. In discretionary environments, users must be trained to understand the risks of sharing sensitive information and how to grant access safely. In non-discretionary and mandatory systems, users need to understand why access is denied and how to request appropriate permissions through proper channels. Cloud Plus may include questions about user confusion or misuse caused by lack of training, requiring candidates to recognize access education gaps.
When applying access control models in real-world environments, a strategic approach is needed. The chosen model must match the sensitivity of the data, the size and structure of the organization, and the compliance context. For example, a small startup may prioritize agility with discretionary access, while a multinational financial firm requires the rigor of RBAC or MAC. Cloud Plus scenarios often present such contrasts and require candidates to select the best fit based on both business and technical constraints.
In cloud deployments, lifecycle management and access model integration go hand in hand. Roles, rules, or access classifications must be aligned with onboarding, role transitions, and deprovisioning processes. An effective access control model not only governs daily permissions but also supports auditing and account cleanup. Candidates must demonstrate an understanding of how access models interface with identity lifecycle processes, particularly in hybrid or multi-cloud ecosystems.
Monitoring and auditing access behavior is crucial regardless of which model is used. Logs should capture changes to roles, permissions granted or revoked, and violations of access policies. Mandatory and non-discretionary systems tend to produce more structured logs, which support better forensic and compliance outcomes. Discretionary systems may require additional monitoring to compensate for their flexibility. The exam may ask which logging approach is required to validate access changes under a specific model.
Selecting between DAC, non-discretionary, and MAC is not a purely technical decision—it reflects organizational priorities around control, autonomy, and risk tolerance. Each model has its place depending on the nature of operations and the threat environment. Cloud Plus reinforces the importance of this decision by testing candidates’ ability to weigh trade-offs and align access strategies with both security principles and business needs.
In conclusion, discretionary, non-discretionary, and mandatory access models form the foundation of how permissions are managed in cloud environments. From flexibility and user empowerment to strict enforcement and centralized control, each model serves a different purpose. Success on the Cloud Plus exam depends on understanding these differences deeply and being able to apply each model appropriately to technical scenarios, organizational contexts, and compliance mandates.