Here's a quick primer on different access-control models:

DAC - Discretionary Access Control.

-- As the name suggests, in this case, it is at the discretion of the owner of the file to decide who gets
access to the resource and to what level. You see it in action in Windows, Mac, Linux where the
owners of the files give necessary rights (read, write etc.) to the other users.

MAC - Mandatory Access Control.

-- In this case, the access is given by checking the subject's clearance level with the object's
classification level. So, for example, a user with clearance level of secret will be given access to a file
that has a classification level of secret, but a file of classification level "top secret" won't be
accessible to the same user.

RBAC - Role-Based Access Control.

-- In this case, access is not granted to individual users. Rather, access is given to roles. Then, anyone
who falls under those roles gets the access automatically. So, instead of allowing access to 5 security
engineers separately, you create a role called "security engineers" and give access to the role. Then,
anyone who has that role will get the required access. Useful in high turnover cases.

Rule-Based Access Control (No short form for it. RBAC is for Role-Based Access Control, not
Rule-Based Access Control)

-- In Rule-Based Access Control, access is granted if the pre-defined rules are met. For example, a
biometric system could be configured with a rule that allows access to employees only if they enter
the office from monday to friday between 8 AM and 7 PM. If the conditions defined in this rule are
not met, then employees are not granted access. We this in the form of ACLs on routers and
firewalls too.

ABAC - Attribute-Based Access Control.

-- ABAC adds more flexibility to rule-based access control. Rule-based access control applies equally
to all subjects. With ABAC, we can check for more attributes and tweak the rules accordingly. For
example, with ABAC, we can say that while employees will be granted access to the office only from
monday to friday between 8 AM and 7 PM, access will be allowed on weekends and before 8 AM
and after 7 PM IF THE EMPLOYEE IS FROM THE FACILITIES TEAM. So, you see, we are checking
additional attributes here rather than applying the rule equally to everyone.

Risk-Based Access Control

-- In this case, access is granted only after evaluating the risk. So, a user may be allowed to access
various servers but if the same account is seen logging into 50 different servers within 5 minutes,
then access could be denied as it could indicate an account compromise.

Hope that helps. Let me know if anything is not clear.