Which access control model is typically non-discretionary in nature?

The Role-Based Access Control (RBAC) model is typically non-discretionary in nature because access permissions are assigned to roles rather than to individual users. In this model, access decisions are made based on a user's role within an organization, and roles are defined by the organization’s policies and structure. This means that once roles are established, they govern the access rights of all users assigned to those roles, leading to a more centralized and systematic approach to access control.

RBAC allows for easier management of permissions, especially in environments with a large number of users and complex access needs, because changes can be made at the role level rather than for each individual user. This enhances security and ensures that users have appropriate access based on their job functions rather than personal discretion, which is a hallmark of discretionary access control models.

By enforcing access rights through roles, RBAC minimizes the risk of unauthorized access arising from individual user decisions, which aligns with the principles of a non-discretionary model. Other models such as DAC allow users to grant or revoke access based solely on their discretion, making them discretionary in nature, while MAC and ABAC implement varying levels of structure or context but do not achieve the same efficiency and clarity as RBAC in a non-discretionary