What is Discretionary Access Control

Discretionary Access Control (DAC) is a type of access control where the owner of an object (such as a file, database table or other data resource) holds the authority to determine who can access that object and what specific actions (like read, write, execute delete) they are permitted to perform.

DAC is defined by the "Trusted Computer System Evaluation Criteria" (TCSEC), also known as the Orange Book. Because users have the freedom to share resources, DAC systems are considered flexible. However, this also means that they are more prone to accidental or intentional misuse.

In modern IT ecosystems, DAC is commonly used in operating systems, as well as in applications that need user-based permission settings. Let’s consider an example.

Say Sarah creates a folder on her company’s shared network drive. Since she is the owner of the folder, she can decide who else in the team can read, write or delete files inside it. She gives Alex read-only access, meaning he can open the files but not change them. She gives Carol full access, allowing her to read, write and delete files.

If Sarah later decides to remove Alex’s access, she can do that without needing approval from an admin. Exclusive control stays with Sarah unless an admin overrides it.

DAC is generally a good fit for environments where convenience and user autonomy are more important than strict control. For example:

• Standard end-user computing devices (desktops, laptops).
• Small to medium-sized teams where users need to share files frequently and quickly.
• Development and testing environments in which quick collaboration and permission grants are needed.
• Organizations that don’t handle highly sensitive or regulated data.
• Educational or research settings where data has to be openly shared.

Is DAC secure?

When designed well and backed by strong authentication, DAC can offer reasonable security. However, its inherent reliance on owner discretion always leaves it vulnerable to insider threats, accidental permission misconfigurations and policy violations.

• Enforce a strong password policy to prevent unauthorized access through credential guessing or reuse
• Enable two-factor authentication (2FA) to add an extra layer of identity verification
• Regularly audit access logs and permission settings to spot unusual activity and clean up outdated or risky access
• Don’t apply DAC to sensitive or high-value assets like tier-zero systems
• Avoid giving DAC rights to non-human identities like service accounts, as they can be harder to monitor and secure
• Only allow DAC where there's a clear business need, and access decisions can be trusted to the user
• Combine DAC with stricter models (like RBAC or MAC) for critical systems

As we have covered, Discretionary Access Control is a double-edged sword. It offers flexibility and ease of use, but that same flexibility can lead to poor security decisions without the proper safeguards.

Advantages of Discretionary Access Control

• User-level control: Resource owners can quickly grant or revoke access as and when needed.
• Wide adoption: Built into most operating systems, so it doesn’t require additional tools to implement.
• Granular control: It supports fine-grained control, where owners can assign different permissions (like read-only, read/write, etc.) to different users/groups for the same resource.
• Transparent ownership: There’s clear accountability as owners directly manage permissions.
• Reduced administrative overhead: Since access decisions are decentralized, IT teams spend less time on permission management and more time on higher-level security tasks.

Disadvantages of Discretionary Access Control

• Higher risk of misuse: Its primary weakness lies in its reliance on end-user judgment. Owners may accidentally (or maliciously) grant excessive access, or fail to revoke access when no longer needed.
• Harder to enforce policies: Since access control is user-driven, it’s tough to maintain consistent, organization-wide rules.
• Poor visibility for admins: It’s harder for security teams to track who has access to what across the infrastructure.
• Susceptibility to malware: If a user's account is compromised, the malware/attacker can use their DAC permissions to access or damage anything they have access to.
• Privilege creep risk: Over time, users may accumulate unnecessary permissions.

DAC works differently from MAC and RBAC (Role-based access control), both in how access is granted and who controls it.

Differences between discretionary and mandatory access control

• DAC allows the resource owner to decide who gets access, while MAC relies on fixed rules set by the admin.
• In MAC, users can't change permissions on their own, which reduces the chance of misuse and misconfigurations.
• MAC is stricter and usually used in environments where data sensitivity is high.
• DAC is easier to manage in casual or low-risk environments, but MAC is more reliable for protecting critical data.

Differences between discretionary access control and role-based access control

• DAC is based on user ownership, while RBAC is based on roles assigned to users.
• RBAC simplifies permission management in large organizations, as access is tied to roles, not individuals.
• DAC can get messy over time as users manually assign and revoke access.
• RBAC is unarguably the better choice for companies that need structured, scalable access control across many users and systems.

DAC is a practical option for small businesses that need to get up and running fast without complex security tools. It lets people collaborate and share with ease, which works well in small teams with limited IT support.

But for cloud security management, extra caution is needed. Because owners control access, a simple mistake can lead to data exposure. It's better to create a clear policy on when and when not to use DAC.

For example, you can use DAC in the cloud for:

• Internal team collaboration folders
• Shared documents for non-sensitive projects
• Temporary development or testing environments

But it should never be used for things like:

• Cloud IAM settings and admin consoles
• Databases with customer or financial data
• Backup storage or disaster recovery resources
• Critical infrastructure like virtual machines or containers in production

Finally, here are some additional best practices to help you get the most out of your DAC setups:

• Set default permissions to the most restrictive level so users must manually grant access instead of everything being open by default.
• Train users on the risks of oversharing access to help them make smarter decisions.
• Use time-limited (or Just-in-time) access where possible so permissions automatically expire after a set period.
• Regularly review user ownership of files and resources to ensure that former employees or inactive users don’t still hold control.
• Deploy access control monitoring tools that can flag unusual permission changes in real time.
• Log all permission changes to create an audit trail that can be reviewed during incidents or compliance checks.