Which control model uses policies to determine access rights but does not allow discretion by the user?

The control model that utilizes policies to determine access rights while not permitting discretion by the user is Non-Discretionary Access Control. This framework is characterized by its reliance on established guidelines and policies rather than individual user decision-making. Access is determined based on criteria set by an organization, ensuring that all users follow predefined rules without the ability to grant or restrict access based on personal judgement.

This model is particularly useful in environments where consistent access control is essential, such as in government or military contexts, because it enforces compliance with security policies uniformly across all users. By eliminating the discretionary aspect, it minimizes the risk of unauthorized access that can occur with user-driven models.

In contrast, Discretionary Access Control allows users the freedom to set permissions for their own data, which can lead to variability in access rights. Role-Based Access Control, on the other hand, assigns access permissions based on user roles within the organization, but it still allows for some level of discretion depending on how roles are defined and assigned. Lattice-Based Access Control employs a more complex structure for access rights, often used in scenarios requiring a well-defined hierarchy of data sensitivity. However, Non-Discretionary Access Control stands out for its rigidity and policy-based approach to access management.