Discretionary Access Control definition

Discretionary Access Control

(also DAC)

Discretionary Access Control is a type of access control system in which the owner of a file or directory can grant or revoke access permissions to other users or groups. In other words, DAC allows the owner of an object to have complete control over who has access to that object and what level of access they have. This is in contrast to mandatory access control (MAC), where access permissions are determined by the system administrator and cannot be changed by the owner of the object. Discretionary Access Control is easy to implement and use and is therefore often favored by small and medium businesses.

Discretionary Access Control use cases

Transfer object ownership to other users.
Determine and change what access type other users get (edit/move/delete a file).
Access can be determined by an automated access control list that grants privileges based on user identification (their email domain, for example).

Discretionary Access Control disadvantages

Security issues. Under DAC, data is not well secured. When all users can grant and revoke permissions, it is possible to accidentally leak data to an outsider.
Complicated data storage and tracking. DAC is not centralized, so the users can store and move their files as they wish, making it difficult for others to track down the files they need. It’s also challenging for the administrator to monitor the data flow. For this reason, DAC is only really useful for small organizations and businesses.