Role-Based Access Control and Rule-Based Access Control each share the acronym RBAC. Also, Role- and Rule-Based Access Control are similar in that each of these systems lies in an intermediate position on a spectrum running from Mandatory Access Control (MAC) at the one extreme and Discretionary Access Control (DAC) at the other. That is to say, the two types of RBAC strike a balance between strictly centralized control and user freedom of choice.
In Role-Based Access Control, different levels of rights and privileges are determined by occupational role. Active Directory is frequently configured in this manner. When Organizational Units (OU) are developed in relation to an organizational chart and when policies are assigned to specific security groups at the OU level, then the approach being implemented is Role-Based Access Control. Role-Based Access Control is centralized in so far as the role structure itself, along with the rights pertaining to each role, are originally defined by a top level administrator. However, within this overall structure, various groups may have more or less freedom to create, modify, delete, or use their own resources. Likewise, again depending on the level of trust assigned to the role, users may have the ability to share resources, either within or without limits.
Rule-Based Access Control is also less restrictive than MAC but more restrictive than DAC. Rule-Based Access Control distinguishes itself in finding the basis for resource restrictions in rules pertaining to such matters as time, place, content, cost, or system availability. To give examples for each of these five rule types, system use might be restricted after working hours or during a scheduled backup time. With respect to location, logins may be disallowed from risky locations or allowed only to occur from defined offices or networks. Similarly, specific content (illegal, immoral, or contrary to desired business practices) might be blocked or filtered. Resource use might similarly be allocated with respect to budget, placing system access within a regime of quotas or rate caps. When traffic shaping is employed with an emphasis on granting, restricting, or denying access for selected users or resources, this would be an implementation of Rule-Based Access Control.
In practice, a hybrid type of RBAC combining both roles and rules is frequently deployed. For example, members of the accounting group may have read access to financial files, but only during working hours. Likewise, members of the sysadmins group may have copy access only to financial files, but logins from this group may be restricted to the network operations subnet. Whether the emphasis is stronger on roles or on rules, either way RBAC is generally a good fit for business organizations, given that MAC is too restrictive for most businesses and that DAC is too loose.