Discretionary Access Control, or DAC access control, is a type of access control in information technology. It allows the owner of a resource, such as a file or a system, to determine who may access that resource and what level of access they are allowed.
DAC assess control is based on the principle that the resource owner has discretion over who can access it. DAC was introduced in the Orange Book, published by the Trusted Computer System Evaluation Criteria (TCSEC), and is commonly used in operating systems and network resources.
All discretionary access control examples you will come across will include accountability measures, such as logging users' access and resource changes. Overall, DAC allows for granular control over access to important information and can help to protect vital data from unauthorized individuals.
How does Discretionary Access Control differ from other types of access control?
In the realm of IT security, access control refers to the various measures taken to restrict access to information or resources. DAC access control is one such measure, and it is distinct from other types of access control in that it allows users to determine the level of access given to other users.
DAC contrasts with Mandatory Access Control (MAC), where access permission levels are determined by a central authority, and rule-based access control, where pre-defined rules determine levels of access. Role-Based Access Control also differs from DAC. With role-based access control where one's role within an organization determines access. DAC access control can also be altered or adjusted by individual users, as opposed to MAC, rule-based access control and role-based access control, which typically require a higher level of authority to make changes.
In DAC systems, users can use their discretion when granting or denying others access to information or resources. Overall, DAC offers a certain level of flexibility in terms of determining and adjusting user access levels, but it can also leave room for error if not used properly.
How does Discretionary Access Control work?
With any discretionary access control example, access policies are determined by the owner of the resource, who specifies the terms of access. It comes down to user identification, verified by credentials supplied during the authentication process. Whoever has said credentials would be granted access.
This type of DAC access control is deemed discretionary because access can be granted or shifted by the resource owner – they have control over who has access to the information in question. The owner can create a username and password that will allow the user in, and they can decide to whom to give these credentials.
However, it's about more than just granting access to a resource. You can also use DAC to dictate what kind of access the user has and exactly what they can do with that access. Since you would not necessarily want all your employees, regardless of seniority, to have the same level of access, you can choose to create different user profiles with specific credentials that allow varying types of access based on your needs.
What are the Different Levels of Access in Discretionary Access Control?
Once the resource owner has granted a user access, they have more than just access to the information or data in the system. DAC access control allows the owner to grant different types of access to users, and each type of access allows the user to do different things.
Different types of access may be allowed individually or as a combination - it all depends on who is granting the access, what resource access is granted for, and for what reason. The different types of access that may be granted within discretionary access control include:
- Granting the same privileges that the subject has to other subjects or objects.
- Being able to alter security attributes on objects, subjects, system components and information subjects.
- Having the ability to pass the information on to other subjects and objects.
- Being able to select the security attributes that are to be associated with new or revised objects.
- Having the power to change the rules that manage access control.
As a discretionary access control example, when considering the context of a company with different levels of employees, you may grant all the above levels of access to your highest-ranking manager. Conversely, for a more junior employee who works in something like communication, it may be important for them to have the third level of access - the ability to pass the information on to other subjects and objects - but not the others.
Thus, their authentication key would allow them to access the resource and share information but not do other things like altering security attributes. The manager, however, with a different authentication key, would be able to do that.
Therefore, with DAC, it is up to the resource owner to decide which access levels are required by different users - they can alter this at their discretion, hence the term "discretionary access control".
Final Thoughts on Discretionary Access Control
One of a few different types of access control, DAC access control may be a bit more difficult and time-consuming to set up. However, it can provide extensive security for your computer systems and resources on those systems. Discretionary access control also allows you to grant different types of access and the ability to perform varying actions to different users, which can be very useful within a large business. Thus, if you have highly sensitive data or information being stored on your systems, it may be a good idea to take the time to set up DAC access control. Read more about Access Control List ACL here.
Contact Sangfor today to find out more about different types of access control in the world of cybersecurity.