Which access control model relies on policy to grant access rather than owner discretion?

Policy-based access control relies on centrally defined rules that determine who can access which resources under what conditions. Rather than leaving permission decisions to the owner of a resource, a policy decision point evaluates the applicable policies using attributes like user role, resource type, and contextual factors (time, location, etc.). If the policies authorize the access, it’s granted; if not, it’s denied. This approach provides consistent enforcement, easier auditing, and scalable governance. Discretionary access control, by contrast, puts access in the hands of the resource owner, who can grant or revoke permissions. Mandatory access control relies on fixed security labels and a policy lattice enforced by the system, not by individual owners. Delegated access control isn’t a standard model and doesn’t describe policy-driven decisions in the same way.