- DAC gives owners the freedom to control access permissions for their resources.
- Discretionary access control offers flexibility, empowering users to manage their own resources and collaborate effectively.
- However, discretionary controllers can be vulnerable to poor user authentication, improper logging and monitoring, and insider threats.
In the complex landscape of real estate, a discretionary access control model empowers owners and property managers to maintain robust security protocols tailored to their specific needs — where diverse tenants, employees, and visitors coexist.
Read on to learn what discretionary access control is and explore some key differences between DAC, MAC, and RBAC. Then, discover the pros and cons of using discretionary access control to safeguard valuable assets and sensitive data.
In this post, we cover:
- What is discretionary access control?
- DAC vs MAC vs RBAC
- Pros and cons of discretionary access control
What is discretionary access control?
Discretionary access control (DAC) is a cybersecurity system that gives the owner the ability to control who can access resources, like files or folders.
In other words, the owner is able to control which users are granted access to specific resources.
What is an example of discretionary access control?
An example of discretionary access control is creating a document on your laptop and deciding if only you can read it, if others can read the document but not edit it, or if certain people can edit or modify the document.
As a result, a DAC model allows for personalized control where the owner has the discretion to permit or deny access based on their preferences.
What are DAC rules?
Discretionary Access Control (DAC) rules are the guidelines that ultimately determine who can access specific resources within a computer system.
So, DAC rules ensure that protected files, folders, or programs can’t be accessed by unauthorized users. With this purpose in mind, the owner or administrator sets rules for protected resources. Then, they define which users or groups are granted or denied access privileges.
Moreover, DAC access control rules provide a flexible way for owners and administrators to manage access to resources based on their security requirements. Plus, the needs of different users and groups within the organization.
DAC rules typically include the following elements:
- Owner. The user who creates or owns the resource. With this in mind, the owner has the authority to set access permissions for said resource.
- Access control list (ACL). An ACL list lays out permissions attached to a file or folder. It also specifies which users are granted access and what operations they are allowed to perform.
- User and group assignments. Further, DAC rules specify which individual users or groups are granted the defined permissions. Additionally, users are granted different levels of access based on their roles or responsibilities within the organization.
Watch how ButterflyMX works:
What are the types of discretionary privileges?
There are several common types of discretionary privileges:
- Read. Individuals with read privileges are able to view the contents of a resource but can’t alter or delete it.
- Modify. Individuals with write privileges are able to modify the contents of a resource. So, they’re able to create new files, edit existing documents, and save changes to the resource.
- Execute. Execute privileges allow users to run a program or script, launch applications, or run specific commands.
- Delete. Delete privileges enable individuals to remove a resource from the system. So, users with delete privileges can delete files, folders, or other types of resources.
What is the difference between discretionary and nondiscretionary access control?
The main difference between discretionary and non-discretionary access control is that a non-discretionary access control design is much stricter than discretionary access control.
Moreover, non-discretionary access control (NDAC), commonly referred to as mandatory access control (MAC), only grants access permissions if the subject’s clearance level matches the sensitivity level of a resource.
In contrast, DAC empowers owners to grant access to any user of their choosing.
What are the vulnerabilities of discretionary access control?
Common vulnerabilities of DAC are:
- Broad access permissions. If a user or group is given excessive privileges, such as read and write access to sensitive files, it can lead to unauthorized access, modification, or deletion of critical data.
- Less centralized control. What’s more control permissions are usually set by individual owners, which can lead to inconsistent or conflicting access policies.
- Exploiting software vulnerabilities. Finally, attackers can exploit vulnerabilities in software to gain unauthorized access to resources.
DAC vs. MAC vs. RBAC
MAC, DAC, and RBAC differ in many ways:
|Users have control over their own objects/resources.
|Conversely, MAC decisions are made by the system, not by individual users.
|Conversely, RBAC permissions are assigned based on roles or job functions within an organization.
|Resource owners set access permissions for specific users or groups..
|Users can’t change access permissions independently. Instead, access permissions are controlled by existing system policies.
|Alternatively, access decisions are based on a user’s role rather than an individual’s identity.
|Flexible — but may lead to security vulnerabilities if permissions are not properly managed.
|Offers enhanced security, however is rigid and less flexible for users.
|Offers a balance between flexibility and security, as a result, it’s easier to manage user permissions.
|Typically used in online security systems and file-sharing environments.
|Often used in military and government environments, where strict data confidentiality is required.
|Alternatively, commonly used in large organizations because it provides a structured and efficient way to manage access.
Pros and cons of discretionary access control
What are the pros of using DAC?
- Flexible. Empowers resource owners with control over who can access their resources and what actions they can perform.
- Simple. Fortunately offers a simple and effective way to manage access control.
- Customizable. Tailor access permissions to specific individuals or groups, accommodating varying needs within an organization. Thus, you ensure different users have appropriate levels of access to resources.
- Easy to implement. Additionally, DAC systems can be implemented without the need for complex infrastructure or extensive administrative overhead.
- Great for small-scale environments. Further, discretionary systems are best suited for personal computers, home networks, and small businesses where the number of users and resources is limited.
What are cons of using DAC?
- Poor user authentication. In the instance of weak user authentication methods weak, such as using easily guessable passwords, unauthorized users may gain access to resources.
- Insecure data inheritance. Further, if a parent folder has lax permissions, these permissions can be inherited by child folders, potentially exposing sensitive data. So, improper inheritance of permissions from parent folders to child folders may be a vulnerability.
- Social engineering. Unfortunately, attackers often use social engineering techniques to bypass security measures by manipulating users into granting them access permissions.
- Improper logging and monitoring. Additionally, if there’s no proper logging and monitoring procedure in place, it can be challenging to detect unauthorized access or changes to resources. So, this may allow for potential security breaches to go unnoticed.
- Insider threats. Finally, trusted users with legitimate access rights may misuse their privileges intentionally or accidentally, leading to security breaches.