Discretionary access control: Difference between revisions

Latest revision as of 09:30, 17 March 2025

Discretionary Access Control (DAC) is a type of access control system that restricts access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject.

Overview[edit]

In a DAC model, the owner of the protected system, data, or resource sets the policies defining who can access it. This model is commonly used in operating systems and database management systems.

Key Concepts[edit]

Subjects: Entities (such as users or processes) that request access to objects.
Objects: Resources (such as files, databases, or devices) that are being accessed.
Permissions: The types of access granted to subjects, such as read, write, execute, or delete.

Advantages[edit]

Flexibility: Owners can easily change access permissions.
Simplicity: Easy to implement and understand.

Disadvantages[edit]

Security Risks: Since permissions can be easily transferred, it can lead to unauthorized access.
Lack of Central Control: Difficult to enforce organization-wide security policies.

Comparison with Other Models[edit]

DAC is often compared with other access control models such as Mandatory Access Control (MAC) and Role-Based Access Control (RBAC). Unlike DAC, MAC does not allow users to pass permissions to others, and RBAC assigns permissions based on roles rather than individual users.

Applications[edit]

DAC is widely used in various systems, including:

Unix and Linux operating systems
Windows NT and later versions
Database management systems like Oracle Database and Microsoft SQL Server

@@ Line 48: / Line 48: @@
 {{No image}}
 {{No image}}
+__NOINDEX__