Clearances are defined by the level of trust of individuals based
on background investigations, history, and other factors as
defined. Clearances are defined for content based on magnitude of
consequences associated with the misuse of the content. Compartments
are based on the groupings of content necessary to perform kinds of
work. Access is granted based on holding a clearance high enough for
the classification of the content, working in an area associated with
the content, and having a reasonable need to know the content in order
to perform an authorized task. Separation of duties and risk
aggregation limit the compartments permitted and, in more
advanced cases, the set of compartments allowable to individuals
Use roles and rules:
People are assigned roles based on what their job assignments are and access is granted based on a set of management defined rules about what different roles access under what conditions in order to perform their roles. Separation of duties and risk aggregation limit the simultaneous roles permitted and, in more advanced cases, the sequences of roles allowable to individuals and groups over time. Rules also change over time and must be analyzed for separation of duties and risk aggregations.
Use owner authorized:
Content and systems are "owned" on a fiduciary or actual basis by individuals who make individual determinations about what individuals or groups may access what content under what conditions.
Use a subject object model:
Subjects (people and automated mechanisms) are granted Rights (things that they can do) to Objects (content, containers, and mechanisms) based on management decisions. Risk aggregation, if done, is done by analysis of granting of rights over time.
Use a possession-based model:
Access devices of various sorts (e.g., keys, certificates, tickets, tokens, money, etc.)
are possessed by individuals or mechanisms, and access is granted based on possession and
possible surrender of those devices.
Pick the best fit of these or create a different enterprise model:
It is almost always better to pick one of the above defined mechanisms since they are already realized in implementations of various sorts, however; many of the mechanisms can be repurposed for other uses, and mechanisms available should not limit the manner in which access is modeled.