Discretionary access control (DAC) is one of many access control methods that secures information systems. DAC is a method that grants users control over the permissions to their resources, enabling information system and data owners to decide who can access the respective resources and what level of access they can have. This approach supports the principle of least privilege, a concept that advocates for giving users the least amount of access necessary to perform their work. Because DAC relies on human decision-making to provision access, the information system or data owner must be rigorous in their reviews of access requests to ensure overly permissive rights aren’t given.
What Does Discretionary Access Control (DAC) Mean?
Discretionary access control is an approach to securing information systems in which administrators determine who should have access to a given resource and grant permissions based on those needs. It is based on the principle of least privilege, giving users the least access possible to complete their work.
How Does DAC Work?
At its most fundamental level, DAC uses access control lists (ACLs) to assign permissions to resources. ACLs contain either users or predefined groups of users and their corresponding access levels. These levels typically include read, write, and execute access, which allows a person to view, modify, or run a process or program, respectively.
For example, imagine that a user attempts to open a file share on a corporate network. When that user requests access, the DAC system checks the authentication information and compares it to the ACL associated with the resource the user is attempting to access. If the information matches the ACL entry, the user is granted the access defined in the ACL, whether it’s read, write, or execute. If the user information doesn’t match an ACL, the request is denied.
Here’s a step-by-step breakdown of how DAC works from resource creation to access enforcement.
- Someone creates a resource, such as a file or folder, and the creator is now the owner who can control access permissions.
- The owner then configures the ACL for the newly created resource, assigning users and groups who should have access with the required permissions.
- One or more users who have been granted permission to the resource attempt to access it, resulting in an access request to the DAC system.
- The DAC system checks that the user information in the request aligns with an ACL, and then approves or denies the request depending on whether it finds an ACL.
- The DAC system enforces its decision in real time, allowing the user to view, modify, or run the resource requested so long as the corresponding ACL permits the action.
Implementation of Discretionary Access Control
Implementing DAC requires planning along with consideration of your existing security policies, as the resource owner enforcing permissions must ensure they do so in compliance with company or department expectations. These steps are key to implementing DAC effectively and ensuring it’s properly maintained.
Define Security Policies
Establish clear access control policies for your organization or department. Determine who should have access to which resources and what level of access should be granted.
Categorize your resources based on their sensitivity and importance. This is essential to ensuring ACLs are appropriately assigned to resources, especially those that are confidential or highly sensitive where access must be carefully controlled.
Set Up User and Group Management
Create and manage user accounts and groups used to assign DAC permissions. Ensure you organize users and groups in a way that aligns with the access control policies that the organization has defined.
For each resource, configure ACLs that define which users and/or groups can access the resource and what level of permissions they must have (read, write, or execute).
Conduct Regular Audits
Periodically review and audit DAC policies to ensure there are no non-compliant situations. If identified, non-compliant permissions should be investigated, documented and updated to align with the DAC policy.
Implement Training and Awareness Programs
Educate users about the importance of DAC, their role in maintaining an effective DAC implementation, and the consequences of not complying with access control policies.
Limitations of DAC
Although discretionary access control offers flexibility and user discretion, it does have some drawbacks and limitations.
Reliant on Human Judgment
Since DAC relies on resource owners to make access control decisions, a misconfigured ACL or misunderstanding of security requirements can lead to data exposure and unauthorized access.
DAC is not a scalable access control method, as it can become time-consuming and complex to manage access for many resources and users.
Lacks Centralized Administration
DAC lacks centralized control because access is applied at the resource level. This makes it difficult to enforce specific security policies across an organization and assess the policies that are in place.
Increased Insider Threat Risk
DAC doesn’t provide adequate protection against insider threats, where authorized users might misuse their privileges to access or steal sensitive data, grant unauthorized users permissions, or disclose information to unauthorized parties.
Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)
To further understand DAC and its advantages and disadvantages, let’s compare it to mandatory access control (MAC), which is essentially the opposite of DAC. In a MAC model, access control policies are enforced by the system rather than at the discretion of a resource owner.
Although MAC offers less flexibility and can be more complex, it features a more secure access control design that’s focused on ensuring access aligns with specified data classification and sensitivity levels. Because of this, MAC is often used for networks and information systems that are processing highly sensitive or confidential information, such as those in government facilities.
Examples and Applications of DAC
You can find discretionary access control in almost any computing system or environment.
File and Folder Permissions
The most common example is file and folder permissions that exist in Windows and Unix-based operating systems. When a file or folder is created, the owner can then specify who can access it and what rights they have (read, write, execute).
Cloud Storage Platforms
The same holds true for cloud storage platforms, such as Microsoft OneDrive and SharePoint or Google Drive. If a user wants to share a file or folder that exists on their personal storage account, they must specify to whom it will be shared and what level of access they wish to provide (view or edit). This level of control allows individuals to manage their files according to their preferences, information sensitivity, and security requirements.
Database Management Systems
Database management systems are another example where DAC is common. To control access to the various databases they maintain, database administrators employ users or groups to define who can access which database and what they can do within them. This ensures that only those authorized to view each database are given access to the data they need to view or modify and nothing more.