What is Discretionary Access Control (DAC)?
Discretionary Access Control (DAC) is one of the simplest and most flexible access control methods, but it comes with certain trade-offs. DAC allows the resource owner to determine who can access it “at the owner’s discretion.”
How Does Discretionary Access Control Work?
In DAC cyber security systems, access to resources (objects) like files, databases, or apps is managed by the owners of those resources (subjects). Sounds simple, right? Well, it is. Once you’re identified and authenticated, you can be granted access based on an access control list (ACL) or through a capability system—depending on how the DAC system is set up.
In an ACL-based system, each object has a list of users who can access it and what they’re allowed to do. In a capability system, access is granted based on the possession of an object, much like how cryptocurrency works (if you’ve got the private key, you’re in).
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
The Sweet Perks of DAC
What are the advantages of discretionary access control over other access control methods like mandatory access control (MAC) or role-based access control (RBAC)? Let me lay it out for you:
- Flexibility Galore: DAC gives object owners ultimate flexibility in deciding who can do what. You can assign permissions to individual users or groups, and the sky’s the limit when it comes to customization. Need to share files with a specific team but not the entire company? Done.
- Low Admin Overhead: Since individual object owners manage access, you don’t need an army of administrators keeping track of who can access what. This decentralized approach saves time.
- Efficiency: Users can share access quickly and easily without jumping through administrative hoops. In fast-paced environments where decisions need to happen in real-time, DAC lets information flow freely
But, There Are a Few Challenges to Keep in Mind
Now, I know what you’re thinking: “This DAC thing sounds pretty great!” And it is—until it’s not. Here are a few of the challenges you might face:
- Security Concerns: DAC is notorious for being less secure than other access control methods. Because it’s decentralized, users can share access without oversight. That opens the door for privilege creep (where users end up with way more access than they should) and potential security risks.
- Lack of Visibility: Since access is handled on an individual basis, it’s harder for administrators or security teams to keep track of who has access to what. That can lead to some awkward (and risky) blind spots.
- Maintenance Headaches: It’s easy to grant access, but managing it can get messy. Over time, access control lists can become bloated with users who no longer need access or, worse, users who no longer work at your company.
DAC in Action: Everyday Examples
You probably use DAC more often than you realize. Here are a few examples of where discretionary access control shows up in everyday life:
- Google Docs: Have you ever shared a document with someone and given them editing access? That’s DAC in action.
- Facebook Groups: If you’re an admin of a group, you control who joins and what they can post or share. That’s classic DAC.
- Smartphone Apps: When you grant an app permission to access your contacts or GPS, you’re making a DAC decision.
DAC Model Compared with Other Access Control Models
DAC differs significantly from other non discretionary access control models like Role-Based Access Control (RBAC), Mandatory Access Control (MAC), and Privileged Access Management (PAM):
- RBAC: Instead of allowing users to control their own resources, RBAC assigns permissions based on predefined roles within the organization. It’s less flexible than DAC but is more secure for large-scale operations since permissions are centrally managed.
- MAC: In MAC, a central authority strictly controls access, and users cannot change permissions themselves. This model is the most secure but also the least flexible, as it’s commonly used in environments where security is paramount, such as government systems.
- PAM: Privileged Access Management focuses on controlling and monitoring access to sensitive systems by users with elevated privileges. It’s designed to protect against insider threats and credential misuse but is more complex than DAC.
Is DAC Right for Your Organization?
DAC security could be an excellent fit if your organization prioritizes flexibility and ease of use, particularly in fast-paced environments like startups or small teams. It allows for quick adjustments, making it ideal for businesses that value agility.
However, for organizations handling highly sensitive data—such as those in finance, healthcare, or government—DAC may not provide robust security measures to prevent unauthorized access. More stringent models like MAC or RBAC might be better suited for core security needs in these cases.
Bottom Line
DAC can be a valuable tool in your access control strategy when used in the proper context.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days