Discretionary access control is a type of access control defined by the Trusted Computer System Evaluation Criteria as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Q: What is discretionary access control?
A: Discretionary Access Control (DAC) is a security model used to manage access to resources based on the discretion of the resource owner or administrator.
In DAC, the resource owner determines who is granted access to a particular resource and what level of permissions each user or entity is assigned. This model allows for a high degree of flexibility, as it places control in the hands of individual users or administrators, enabling them to set access permissions according to their own judgment.
While DAC provides a straightforward way to manage access, it can also introduce potential security risks if resource owners do not adequately safeguard sensitive data or if there are lapses in permission management. As a result, many organizations combine DAC with other access control models, such as Mandatory Access Control (MAC), to create a more comprehensive and secure access control framework.
A new access control model that takes elements from DAC is On-Demand Access Control (ODAC). In this model users are granted role-based, auto-expiring access to resources by the resource owner who can set the duration of access. Switching to ODAC can reduce unnecessary access by up to 29x, without creating bottlenecks that slow teams down.
Want to learn more about On-Demand Access Control? Feel free to schedule time that works for you and we're happy to answer any questions you have!