Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Discretionary Access Control

Alternative Forms

Definitions

Definition 1

Discretionary Access Control (DAC) is an access control model whose foundation is the concept of resource ownership. In DAC, the resource owner, often defaulted to the resource creator, has the legitimacy and the (possibly exclusive ) or delegable capacity to grant and revoke access to the resource, often via access control lists, and possibly to destroy the resource. He may or may no have the capability to delegate his powers. His powers may comprise the capability to transfer ownership over the resource or destroy the resource.

DAC is pervasive in IT systems. When DAC is not accompanied with complementary access control models, it naturally leads to scalability issues as the number of resources and entities grow. Also, if there is no process in place that assure the continuous ownership of resources, DAC produces orphaned resources.

There are multiple variations of DAC, such as Liberal DAC and Strict DAC.

As a model, DAC generally overlooks high highly privileged administrators.

DAC is often compared with the alternative Mandatory Access Control (MAC) model.

Related Terms

  • Liberal DAC Hyponym

  • Mandatory Access Control (MAC) Co-hyponym

  • Resource Creator

  • Resource Owner

  • Resource Ownership

  • Strict DAC Hyponym

Quotes

Recall that the central theme of DAC is that of resource ownership. The owner of an object has the authority over who else can access that object. Information flow in DAC is therefore driven by owner-based administration of access rights. Overlooking the role of a super administrative user, generally all variations of the DAC policies share the following characteristics:

• The creator of an object, such as a file in a file system, automatically becomes the owner of that object.

• An object can be destroyed only by its owner.

• While an object is automatically owned by its creator, ownership may optionally be shared with other subjects as well.

(Benantar, 2006, p. 217)

Bibliography

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel in ( "dac" , "discretionary-access-control" )