Discretionary Access Control

Discretionary Access Control (DAC) is an access control model in which the resource owner or subject with appropriate permissions determines which users or processes can access specific objects and what operations they can perform.

Expanded Explanation

1. Technical Function and Core Characteristics

DAC authorizes access to objects such as files, databases, or services based on the identity of the subject and the access rules defined by the resource owner. Implementations commonly use access control lists, capability lists, and permission bits maintained by the Operating System (OS) or application. DAC allows owners or privileged subjects to grant, modify, or revoke access rights, which can introduce risks of unintended propagation of privileges if not governed by policy.

2. Enterprise Usage and Architectural Context

Enterprises use DAC in operating systems, Database Management Systems (DBMS), collaboration platforms, and legacy applications where object owners manage permissions. It often appears as file system permissions, database grants, and application-level sharing controls. Security and architecture teams may combine DAC with centralized identity and access management, directory services, and logging to support compliance and audit requirements.

3. Related or Adjacent Technologies

DAC contrasts with Mandatory Access Control (MAC), in which a central authority enforces policies using security labels and classifications rather than owner discretion. It also differs from role-based and Attribute-Based Access Control (ABAC) models, which assign permissions based on roles, attributes, or policies instead of individual resource-owner decisions. Many enterprise systems implement hybrid models that layer DAC with role-based or attribute-based policies to meet regulatory and operational requirements.

4. Business and Operational Significance

DAC affects how organizations manage data confidentiality, access governance, and insider risk. Its flexibility allows business users and data owners to share resources without constant administrator intervention, which can reduce administrative overhead in decentralized environments. At the same time, unmanaged DAC can cause policy drift and permission sprawl, so enterprises often pair it with standards, monitoring, and periodic entitlement reviews.