What is Discretionary Access Control?

Table of Contents

    Cybersecurity 101 Categories

    Access Control

    64 Posts

    Application Security

    17 Posts

    Authentication

    74 Posts

    Compliance

    9 Posts

    Cyber Threats

    62 Posts

    Endpoint Security

    11 Posts

    General Security

    33 Posts

    IoT Security

    17 Posts

    Network Security

    63 Posts

    Networking

    36 Posts

    Zero Trust

    27 Posts
    Back to Cybersecurity Center

    What are the three types of access control?

    The three primary types of access control are:

    1. Discretionary Access Control (DAC)

    Definition:
    A model where the owner of a resource, such as a file, folder, or database, determines who can access it and what they can do (e.g., read, write, execute).

    Key Traits:

    • Access is user-defined
    • Common in consumer OS (Windows, Unix/Linux)
    • Uses Access Control Lists (ACLs)
    • Easy to manage but prone to errors or misuse

    Best For:
    Personal computing, file sharing, low-risk environments

    2. Mandatory Access Control (MAC)

    Definition:
    A highly controlled model where access decisions are made by a central authority, based on system-enforced policies and security labels (e.g., Top Secret, Confidential).

    Key Traits:

    • Access is non-discretionary (users cannot override policies)
    • Strong data classification and labeling
    • Often used in military or government settings
    • Provides high confidentiality, but limited flexibility

    Best For:
    Classified information systems, national defense, highly regulated environments

    3. Role-Based Access Control (RBAC)

    Definition:
    Access rights are assigned based on the roles users hold within an organization (e.g., HR Manager, Network Admin).

    Key Traits:

    • Centralized management of roles and permissions
    • Aligns with business functions and job responsibilities
    • Easy to audit and scale
    • Widely used in enterprise environments

    Best For:
    Corporate IT, cloud environments, enterprise resource planning (ERP), regulated industries

    Bonus: Emerging & Hybrid Models

    In addition to the classic three, many modern organizations also implement:

    • Attribute-Based Access Control (ABAC): Grants access based on multiple attributes (user, device, time, location).
    • Conditional Access: A policy-based approach that adapts in real time, often used in zero trust models.
    • Rule-Based Access Control: Permissions determined by if-then rules instead of user roles.

    What is discretionary access control?

    Discretionary Access Control (DAC) is a type of access control system where the owner of a resource (e.g., a file, folder, or system) has the authority to decide who is allowed to access it and what actions they can perform—such as read, write, or execute.

    Key Characteristics of DAC:

    • Owner-Driven Permissions:
      The creator or owner of a resource (usually a user or administrator) sets access permissions for other users.
    • Flexibility:
      Users can grant or revoke access at their discretion, which makes DAC highly flexible—but also potentially less secure.
    • Access Control Lists (ACLs):
      DAC systems often rely on ACLs to specify which users or groups have which permissions on a given resource.
    • Common in Consumer and Enterprise OS:
      DAC is the default access model in systems like Microsoft Windows and Unix/Linux, where individual users can modify file permissions.

    Example of DAC in Action:

    Let’s say Alice creates a document on her company laptop. With DAC:

    • She can set the document to be viewable by Bob, editable by Carol, and hidden from everyone else.
    • If she decides to change those permissions later, she can do so without any higher-level policy enforcement.

    Security Considerations:

    While DAC is user-friendly and flexible, it comes with security trade-offs:

    • Users might grant access to the wrong people, intentionally or accidentally.
    • Lack of centralized control makes it harder to enforce company-wide policies or audit user behavior.
    • Vulnerable to privilege escalation if users or malware exploit discretionary settings.

    Discretionary Access Control empowers users to manage their own data—but that freedom can introduce risk. In environments where security and compliance are top priorities, DAC is often supplemented or replaced by more rigid, centrally managed access models, such as RBAC or Conditional Access.

    Where is discretionary access control most commonly used?

    Discretionary Access Control (DAC) is most commonly used in commercial operating systems, file systems, and personal computing environments, where ease of use and flexibility are prioritized over strict security.

    Here are the key areas where DAC is widely implemented:

    1. Consumer and Enterprise Operating Systems

    DAC is the default access control model in most mainstream operating systems, including:

    • Microsoft Windows (NTFS permissions):
      Users can set read/write/execute permissions on files and folders.
    • Unix/Linux systems (chmod, chown, ACLs):
      File owners use DAC to define user/group access levels.

    This flexibility allows end users to control their own files and directories, which is ideal for general-purpose computing.

    2. File Systems and Storage Platforms

    DAC is embedded into file systems that support user-defined permissions:

    • Network-attached storage (NAS) devices
    • Shared drives in enterprise environments (e.g., mapped drives)
    • Cloud storage services like Google Drive and Dropbox (user-defined sharing controls)

    These platforms allow users to grant or revoke access to specific files or folders—hallmark DAC behavior.

    3. Office Productivity and Collaboration Tools

    In apps where users create and share content, DAC is used to let individuals control access:

    • Microsoft Office 365 (Word, Excel, SharePoint sharing settings)
    • Google Workspace (Docs, Sheets, Drive permission settings)
    • Dropbox, Box, OneDrive, etc.

    DAC provides user-level control over sharing and collaboration—critical for productivity tools.

    4. Development and Test Environments

    In non-production environments like labs, sandboxes, or developer VMs, DAC is preferred because:

    • It’s easy to manage and modify on the fly
    • Security is less stringent
    • Users need autonomy over resources during testing

    Where DAC Is Not Ideal:

    You won’t commonly find DAC in:

    • High-security or classified environments (government, military)
    • Heavily regulated industries (healthcare, finance)
    • Enterprise cloud infrastructures requiring zero trust models

    In these cases, Mandatory Access Control (MAC) or Role-Based Access Control (RBAC)—and increasingly, Conditional Access—are used to enforce strict, centrally-managed policies.

    DAC is most commonly used where individual flexibility and ease of sharing are needed—especially in desktop environments, file storage platforms, and collaboration tools. While it’s intuitive and convenient, organizations handling sensitive data often pair or replace DAC with stricter models to reduce risk.

    What is the difference between DAC and MAC?

    Discretionary Access Control (DAC)

    • Control lies with the data owner: The person who creates or owns a file, folder, or resource decides who can access it and what they can do with it.
    • Highly flexible: Users can grant, revoke, or modify access permissions at their discretion.
    • User-centric: Each individual manages their own access settings, which makes it simple and adaptable for everyday use.
    • Common in consumer and business environments: Found in operating systems like Windows and Unix/Linux, and in file-sharing tools.
    • Less secure: Because users can make decisions freely, there’s a higher risk of unauthorized access, accidental exposure, or misconfiguration.

    Mandatory Access Control (MAC)

    • Controlled by a central authority: Access decisions are based on policies defined by administrators or system-level enforcement, not by individual users.
    • Based on security labels: Both users and resources are assigned classifications (e.g., Confidential, Secret, Top Secret), and access is granted only when rules allow it.
    • Non-discretionary: Users cannot alter permissions or share data outside of what’s explicitly allowed by policy.
    • Used in high-security environments: Common in military, intelligence, and highly regulated industries where data sensitivity is a priority.
    • More secure but less flexible: Offers strong protection against unauthorized access but limits user freedom and ease of collaboration.

    The primary difference lies in who controls access. DAC gives that power to users, making it flexible but risk-prone. MAC, on the other hand, enforces strict rules set by the organization, offering higher security at the cost of user autonomy. Your environment’s security needs and regulatory requirements should guide which model is the best fit.