Discretionary Access Control (DAC) is a type of access control where the owner of an object (such as a file, database table or other data resource) holds the authority to determine who can access that object and what specific actions (like read, write, execute delete) they are permitted to perform.
DAC is defined by the "Trusted Computer System Evaluation Criteria" (TCSEC), also known as the Orange Book. Because users have the freedom to share resources, DAC systems are considered flexible. However, this also means that they are more prone to accidental or intentional misuse.
In modern IT ecosystems, DAC is commonly used in operating systems, as well as in applications that need user-based permission settings. Let’s consider an example.
Say Sarah creates a folder on her company’s shared network drive. Since she is the owner of the folder, she can decide who else in the team can read, write or delete files inside it. She gives Alex read-only access, meaning he can open the files but not change them. She gives Carol full access, allowing her to read, write and delete files.
If Sarah later decides to remove Alex’s access, she can do that without needing approval from an admin. Exclusive control stays with Sarah unless an admin overrides it.
DAC is generally a good fit for environments where convenience and user autonomy are more important than strict control. For example:
When designed well and backed by strong authentication, DAC can offer reasonable security. However, its inherent reliance on owner discretion always leaves it vulnerable to insider threats, accidental permission misconfigurations and policy violations.
As we have covered, Discretionary Access Control is a double-edged sword. It offers flexibility and ease of use, but that same flexibility can lead to poor security decisions without the proper safeguards.
DAC works differently from MAC and RBAC (Role-based access control), both in how access is granted and who controls it.
DAC is a practical option for small businesses that need to get up and running fast without complex security tools. It lets people collaborate and share with ease, which works well in small teams with limited IT support.
But for cloud security management, extra caution is needed. Because owners control access, a simple mistake can lead to data exposure. It's better to create a clear policy on when and when not to use DAC.
For example, you can use DAC in the cloud for:
But it should never be used for things like:
Finally, here are some additional best practices to help you get the most out of your DAC setups: