What Does Discretionary Access Control Mean?
Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object’s owner group and/or subjects. DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges.
Techopedia Explains Discretionary Access Control
In DAC, each system object (file or data object) has an owner, and each initial object owner is the subject that causes its creation. Thus, an object’s access policy is determined by its owner.
A typical example of DAC is Unix file mode, which defines the read, write and execute permissions in each of the three bits for each user, group and others.
DAC attributes include:
- User may transfer object ownership to another user(s).
- User may determine the access type of other users.
- After several attempts, authorization failures restrict user access.
- Unauthorized users are blind to object characteristics, such as file size, file name and directory path.
- Object access is determined during access control list (ACL) authorization and based on user identification and/or group membership.
DAC is easy to implement and intuitive but has certain disadvantages, including:
- Inherent vulnerabilities (Trojan horse)
- ACL maintenance or capability
- Grant and revoke permissions maintenance
- Limited negative authorization power
