In MAC, access decisions are made by comparing the clearance of the user with the classification of the data against some ruleset. Basically the owner of the data decides who can access it, and this is enforced by the rules.

With RBAC, what you can do and what you can do it on is dependent on your role and the permissions assigned to that role. The data owner has no control over this.

Imagine you’re working for the department of defense and trying to access classified documents.

In a MAC system, I can access the documents as long as I have the right clearance. If I have top secret clearance I can see docs classified as secret too. All that matters is I have the right level.

Now imagine I want to segment further. In my top secret docs I have spies, bank accounts, and airplane designs. I can further segment so that only people in the CIA job can see spies, accountants can see the bank accounts, and engineers can see the airplane designs. The LEVEL of classification matters as well as my job. This is RBAC.

Now let’s say I’m a spy and I want to share my spy stories with all of my friends. So I choose a list and post my secrets, which only my friends can see. That’s DAC, or discretionary access control.