4 Types of Access Control Policies

business security systemsYour Electronic Access Control can be considered as part of your management resource system. It is one of the more effective solutions to maximize your efficiency of access within your property and the respective control areas. Of course it has to be governed by what we can call electronic access control policies.

Electronic access control policies can vary quite a bit depending on the type of access the policy is meant to provide. There are four common types of electronic access control policies that are widely used. Each policy varies in its own way, but they primarily all work by issuing credentials to authorized individuals.

What are the 4 Types of Access Control Policies?


Discretionary is a type of access control that issues credentials to users that have been granted access. These are most commonly used in workplaces. For example, when management or owners grant access to a certain employee or group of employees. The policy is based on the discretion of the issuing authority. The access can be revoked at any time. This type of access control system is used in things like electronic employee badges, and that employee being permitted to sensitive access areas.

This type of electronic access is great for any high-security environment, where alot of resources are at stake. It is also used in things like apartment complexes where you may want to make sure only certain neighbors have access to the swimming pool.


Role-based access control is used in most organizations that have had a need to be more discreet about who has access to what. In this case, a user will have access to an area – for example, the computer server room. This would be based on the role they are playing within the organization. Those persons whose role support the efficient functioning of the server room will have access credentials.

Conversely, a gardener for example whose role may have nothing to do with servers and computer equipment. The gardener then will not have access. Using a role-based access control policy will require defined profiles that need to have access. These predefined profiles then can access specific areas and resources based on what is their role.


In a mandatory access control system, the user is required to enter a credential (PIN, password, or fob card system) in order to gain access to an area. This credential may be in the form of a Personal Identification Number or Password. Other forms may even include biometric access credentials like fingerprints or a quick scan of the eye, leading to electronic identification.

The security policy of the facility is enforced by the system software via a role-based access control policy. In this case, the facility owner or administrator is responsible for assigning and managing roles that are used to enforce access controls.


The rule-based approach to access control is a bit different than the other three. In this case, the user is still granted access based on a particular policy, but the criteria in order to gain access is quite specific. In simplified terms for example, access for specific resource rooms are from 8am until 8pm. Therefore that is the rule. If you try to access at 7:59am – then the access would be denied. 

This approach can also be done digitally, with the use of Internet Protocol (IP) based access to devices and access points. The team can engage a set of rules such that only specific IP addresses can manage the access. This also works well for those in remote based operations. If there is need to access specific resources it can be done based on rule-based approach. If the rule is that the IP has to be a specific address, then only will that specific IP address gain access, based on the security policy. 

In Depth Look

If you’re looking to dig a little deeper, here’s a great video that explains each policy method and how they function:

What should you choose?

Overall, there may not be a one size fit all approach for your home or business. In fact, a hybrid approach in policies to your access control can be done.  Therefore if some persons need to be guided by role-based access whereas others in your team will need to have a mandatory approach, then this can be considered.