Distinguishable because it 
controls access to objects 
by evaluating rules against 
the attributes of entities, 
operations, and the 
environment relevant to a 
request

Relies upon the evaluation of attributes of the subject, attributes of the object, and a formal relationship 
or access control rule defining the allowable 
operations for subject_object attribute 
combinations in a given environment

Systems are capable of 
enforcing DAC, RBAC, 
and MAC concepts


Allows an unlimited 
number of attributes to be 
combined to satisfy any 
access control rul