Guide to Discretionary Access Control (DAC) With Examples

Discretionary access control (DAC) is a security model where the owner of a resource grants users permission to access that resource.

Katlyn Gallo
Written by Katlyn Gallo
A hand touches a touchscreen that says "access control"
Image: Shutterstock / Built In
Brand Studio Logo
UPDATED BY
Brennan Whitfield | Sep 22, 2025
Summary: Discretionary access control (DAC) is a security approach where resource owners control access. Using ACLs, owners can grant users permissions like read, write or execute. DAC offers flexibility but is prone to human error and may not be scalable for large organizations.

Discretionary access control (DAC) is an access control method that allows users to manage permissions for their resources, letting system or data owners decide who can access them and at what level. It often supports the principle of least privilege, ensuring users receive only the access necessary for their tasks. However, since DAC depends on human decision-making, owners must carefully review access requests to prevent granting excessive permissions.

What Is Discretionary Access Control (DAC)?

Discretionary access control (DAC) is an approach to securing information systems in which administrators determine who should have access to a given resource and grant permissions based on those needs. It is often based on the principle of least privilege, giving users the least access possible to complete their work.

RelatedAn Introduction to Microsegmentation in Network Security

 

How Does Discretionary Access Control Work?

At its most fundamental level, DAC uses access control lists (ACLs) to assign permissions to resources. ACLs contain either users or predefined groups of users and their corresponding access levels. These levels typically include read, write, and execute access, which allows a person to view, modify, or run a process or program, respectively. 

For example, imagine that a user attempts to open a file share on a corporate network. When that user requests access, the DAC system first validates the user’s identity through authentication. It then checks that identity against the ACL associated with the resource to determine if access should be granted. If the information matches the ACL entry, the user is granted the access defined in the ACL, whether it’s read, write or execute. If the user’s identity is not explicitly listed in the ACL with a valid permission, the request is denied by default.

Discretionary Access Control Step-by-Step Process

Here’s a step-by-step breakdown of how DAC works from resource creation to access enforcement.

  1. Someone creates a resource, such as a file or folder, and the creator is now the owner who can control access permissions. 
  2. The owner then configures the ACL for the newly created resource, assigning users and groups who should have access with the required permissions. 
  3. One or more users who have been granted permission to the resource attempt to access it, resulting in an access request to the DAC system.
  4. The DAC system checks that the user information in the request aligns with an ACL, and then approves or denies the request depending on whether it finds an ACL.
  5. The DAC system enforces its decision in real time, allowing the user to view, modify, or run the resource requested so long as the corresponding ACL permits the action.

 

How to Implement Discretionary Access Control

Implementing DAC requires planning along with consideration of your existing security policies, as the resource owner enforcing permissions must ensure they do so in compliance with company or department expectations. These steps are key to implementing DAC effectively and ensuring it’s properly maintained.

1. Define Security Policies

Establish clear access control policies for your organization or department. Determine who should have access to which resources and what level of access should be granted.

2. Classify Resources

Categorize your resources based on their sensitivity and importance. This is essential to ensuring ACLs are appropriately assigned to resources, especially those that are confidential or highly sensitive where access must be carefully controlled.

3. Set Up User and Group Management

Create and manage user accounts and groups used to assign DAC permissions. Ensure you organize users and groups in a way that aligns with the access control policies that the organization has defined.

4. Configure ACLs

For each resource, configure ACLs that define which users and/or groups can access the resource and what level of permissions they must have (read, write, or execute).

5. Conduct Regular Audits

Periodically review and audit DAC policies to ensure there are no non-compliant situations. If identified, non-compliant permissions should be investigated, documented and updated to align with the DAC policy.

6. Implement Training and Awareness Programs

Educate users about the importance of DAC, their role in maintaining an effective DAC implementation, and the consequences of not complying with access control policies. 

 

Limitations of Discretionary Access Control

Although discretionary access control offers flexibility and user discretion, it does have some drawbacks and limitations. 

Reliant on Human Judgment

Since DAC relies on resource owners to make access control decisions, a misconfigured ACL or misunderstanding of security requirements can lead to data exposure and unauthorized access.

Not Scalable

DAC is not a scalable access control method, as it can become time-consuming and complex to manage access for many resources and users.

Lacks Centralized Administration

DAC lacks centralized control because access is applied at the resource level. This makes it difficult to enforce specific security policies across an organization and assess the policies that are in place. 

Increased Insider Threat Risk 

Because DAC decentralizes access control, it can increase the risk of an insider threat. An authorized resource owner might unknowingly or maliciously grant sensitive permissions to unauthorized users, bypassing centralized security policies.

 

Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

To further understand DAC and its advantages and disadvantages, let’s compare it to mandatory access control (MAC), which is essentially the opposite of DAC.

In a MAC model, access control policies are enforced by the system rather than at the discretion of a resource owner. 

Although MAC offers less flexibility and can be more complex, it features a more secure access control design that’s focused on ensuring access aligns with specified data classification and sensitivity levels. Because of this, MAC is often used for networks and information systems that are processing highly sensitive or confidential information, such as those in government facilities.

RelatedCan We Control Technology?

 

Examples and Applications of Discretionary Access Control 

You can find discretionary access control in almost any computing system or environment.

File and Folder Permissions

The most common example is file and folder permissions that exist in Windows and Unix-based operating systems. When a file or folder is created, the owner can then specify who can access it and what rights they have (read, write, execute). 

Cloud Storage Platforms

The same holds true for cloud storage platforms, such as Microsoft OneDrive and SharePoint or Google Drive. If a user wants to share a file or folder that exists on their personal storage account, they must specify to whom it will be shared and what level of access they wish to provide (view or edit). This level of control allows individuals to manage their files according to their preferences, information sensitivity, and security requirements. 

Database Management Systems

Database management systems are another example where DAC is common. To control access to the various databases they maintain, database administrators employ users or groups to define who can access which database and what they can do within them. This ensures that only those authorized to view each database are given access to the data they need to view or modify and nothing more. 

Frequently Asked Questions

Discretionary access control (DAC systems use access control lists (ACLs) to assign permissions. When a user tries to access a resource, the system checks the user's identity against the ACL to determine if they are allowed to view, modify, or run the resource.

Discretionary access control (DAC) puts control in the hands of the resource owner, who can grant permissions to others. Mandatory access control (MAC) is more restrictive, with access control policies enforced by the system, often based on data classification and sensitivity levels.

Common examples of DAC include:

  • File and folder permissions on operating systems.
  • Sharing settings on cloud storage platforms like Google Drive and Microsoft OneDrive.
  • Database management system access controls.

Recent Cybersecurity Articles

Nisos Company Culture: Inside the Company's New Service of Human Risk Management
Nisos Company Culture: Inside the Company's New Service of Human Risk Management
FirstBank Learning & Development: How the Company Uses AI to Fortify Its Cybersecurity Defense
FirstBank Learning & Development: How the Company Uses AI to Fortify Its Cybersecurity Defense
Deepfakes Are About to Break the Social Contract
Deepfakes Are About to Break the Social Contract
Explore Job Matches.