DISCRETIONARY ACCESS CONTROL: Definition and Examples

discretionary access control
image source: Business.com

Discretionary access control is implemented using access control lists. The security administrator creates a profile and modifies the access control list for the profile for each object (resource or group of resources). This type of control is discretionary in the sense that subjects can manipulate it. Because the owner of a resource can decide who can access the resource and with what authority. In this post, we will learn exactly what discretionary access control (DAC) is, its example, and how it separates from non-discretionary access control.

What is Discretionary Access Control (DAC)

A kind of security access control called discretionary access control (DAC) allows or prohibits access to an item based on a policy established by the owner group and/or object’s subjects. Controls for the DAC approach are defined by user identification. By utilizing credentials provided during logins, such as a username and password. DACs are optional because the subject (owner) has the authority to grant other users access to authenticated objects or information. In other words, the owner controls the privileges for object access. 

These systems offer the most permissions and are the most customizable when compared to other types of access control. Due to their tremendous flexibility, they are not the most secure, though. The reason for this is that one person has total control over the system. And they are able to offer access to people they shouldn’t. Additionally, DAC systems provide business owners, rather than security experts, control. Which is over the access rights and permissions for users. They also need to be entirely up to speed on security best practices and recommendations.

Thus, the best applications for this tool include enterprises where a high level of security is not required. As well as locations that require the most flexibility and usefulness. Typical use cases include schools, coaching facilities, small businesses, startups, and small businesses.

Pros and Cons of Dispositional Access Control (DAC)

The following are some advantages of utilizing DAC:

  • User-friendliness: The user interface is easy to use and operate, and this method makes handling data and privileges relatively straightforward.
  • Flexibility: This control offers the most permits and the most straightforward method of allowing access to others, as was already mentioned.
  • Hardly any maintenance: Since these systems don’t require continuing repair and maintenance, the administration is required for less management of them.

The following are some disadvantages of utilizing discretionary access control:

  • Less trustworthy: Because access can be easily moved from one person to another and information can leak outside the company, DAC is not the most secure solution.
  • Difficult to monitor data flow: Because DAC is decentralized, it is difficult to monitor data flow and access permissions. The only method to achieve this is by using the ACL (access control list). However, this is only feasible in the case of a small business with a few employees.

What are the types of access control?

The three primary types of access control systems are Discretionary Access Control (DAC), Role-Based Access Control (RBAC), and Mandatory Access Control (MAC).

Why is discretionary access control important?

Security risks are decreased by discretionary access limitations. It creates a firewall against malware attacks and unauthorized access. By providing a highly encrypted security protocol that must be bypassed before access is allowed.

How can we implement the discretionary access control method?

  • Determine access: A subject’s ability to use an object to carry out an action in line with some policy depends on whether they have access to it.
  • Grant access: By providing access, you can allow someone to use a particular object.

What are discretionary access control weaknesses?

  • Users having an excessive amount of privileges or inadequate privileges: Users may be a part of multiple nested workgroups. Inconsistent permissions could grant the user excessive or insufficient privilege.
  • Limited control: It is challenging for security administrators to monitor resource allocation within the firm.

Discretionary Access Control Example

In discretionary access control, for example, each system object (file or data object) has an owner or the person who created the object. As a result, the owner of an item determines the access policy. A common example of DAC is the Unix file mode, which specifies the read, write, and execute privileges for each user, group, and other parties in each of the three bits.

Features of DACs include:

  • The user has the ability to modify an object’s owner (s).
  • Users are in charge of determining what level of access other users have.
  • After many attempts, permission errors restrict user access.
  • The file size, file name, and directory path are all object attributes that are invisible to users who lack authorization.
  • Based on user identification and/or group membership, object access is determined during access control list (ACL) approval.

A salesperson might, for example, be granted access to the billing system. So that they can view billing activity relevant to the customer profiles that contain their particular sales ID number. But not the billing activity of other customers. Because access rights can be tailored for certain users. Only those in charge of overseeing the entire network have access to all the data. As a result, it is less likely that hackers, corporate spies, or even disgruntled ex-employees looking for a way to exact revenge against the company will use it to execute crimes.

The precise organization of DAC depends on the kinds of programs being useful and how access rights are distributed. Some options allow for the assignment of particular login credentials, which are subsequently useful to modify the permissions for each of those programs.

Non Discretionary Access Control

Non-discretionary access control (NDAC) refers to any permit control strategy other than discretionary access control (DAC). Mandatory access control (MAC), in which authorization is only granted if the subject’s clearance matches the object’s sensitivity level, is frequently referred to as NDAC frequently.

Examples of non-discretionary access control models

Users cannot transfer access at their own discretion under non-discretionary access control schemes. The non-discretionary access control example(s) include:

  • Under role-based access control, access is allowed in accordance with the responsibilities that an administrator assigns.
  • In rule-based access management, access is determined using established rules. This kind of access restriction is widely used by routers and firewalls to preserve network security.
  • Under attribute-based access management, access is decided by user attributes such as job title, team, location, and device.

What is the difference between discretionary and non-discretionary access control?

Non-discretionary costs include things like rent, taxes, debt payments, and food. Discretionary costs are any outlays that go above and beyond what is deemed necessary.

What is the difference between MAC and DAC?

The primary difference between DAC and MAC is that the former uses an access control method. Where the resource owner controls access, and the latter gives access based on the user’s clearance level.

What is the DAC model?

The DAC model, an identity-based access control paradigm, gives users some degree of control over their data.

FAQ

What is discretionary access control?

A kind of security access control called discretionary access control (DAC) allows or prohibits access to an item based on a policy established by the owner group and/or object’s subjects.

What are the 3 types of access control?

The three primary types of access control systems are Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).

What is difference between MAC and DAC?

The primary difference between DAC and MAC is that the former uses an access control method where the resource owner controls access, whilst the latter gives access based on the user’s clearance level.

Related Article

References 

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like