Discretionary Access Control (DAC)
What is Discretionary Access Control (DAC)?
Discretionary Access Control (DAC)An access-control model in which the owner of a resource decides who can access it and what operations they can perform.
Discretionary Access Control is the default model in most general-purpose operating systems: file or object owners hold the authority to grant or revoke permissions to other users and groups, typically through ACLs or POSIX read/write/execute bits. Because trust flows from the owner, permissions can be propagated freely, which is convenient for end users but makes the system vulnerable to malware running with the user's privileges and to confused-deputy or Trojan-horse attacks. DAC is well-suited to collaborative environments and personal data but is considered insufficient for highly classified information, where MAC or strict RBAC/ABAC layered on top is required.
● Examples
- 01
A Linux user running chmod 644 file.txt to grant world-read access.
- 02
A Windows file owner adding a colleague to the file's ACL with modify rights.
● Frequently asked questions
What is Discretionary Access Control (DAC)?
An access-control model in which the owner of a resource decides who can access it and what operations they can perform. It belongs to the Identity & Access category of cybersecurity.
What does Discretionary Access Control (DAC) mean?
An access-control model in which the owner of a resource decides who can access it and what operations they can perform.
How do you defend against Discretionary Access Control (DAC)?
Defences for Discretionary Access Control (DAC) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Discretionary Access Control (DAC)?
Common alternative names include: DAC, Owner-controlled access.