What Is Discretionary Access Control?

Discretionary access control (DAC) is a security model in which the owner or creator of a resource, such as a file or directory, has the authority to determine who can access it and what level of access they have.

What Is Discretionary Access Control (DAC)?

Discretionary access control is an access management approach in which the individual who owns or creates a resource, such as a file, folder, or database entry, has full authority to determine how that resource is shared and used. In a DAC system, the owner defines access rights, such as read, write, or execute permissions, and assigns them directly to specific users or groups. These permissions can be changed or removed at any time based on the owner’s judgment, without requiring central administrative approval.

DAC is often implemented through file system permissions and access control lists, where control is closely tied to user identity and ownership attributes. While DAC provides a high degree of flexibility and user autonomy, it also carries a greater risk of accidental or intentional misuse, since access decisions rely on the discretion of individual users rather than enforced organizational policies.

Types of Discretionary Access Control

Discretionary access control can be implemented in different ways depending on how permissions are stored, evaluated, and applied. Each type defines how resource owners grant or revoke access and how the system enforces those permissions.

Access Control Lists (ACLs)

An access control list is a table or data structure associated with each resource that specifies which users or groups are allowed to access it and what actions they can perform. ACLs provide granular control, allowing the resource owner to assign different permission levels to multiple users or groups. For example, a file’s ACL may grant one user read and write access, another user read-only access, and deny all access to others.

Capability-Based Access Control

In capability-based DAC, access rights are stored in tokens or keys, known as capabilities, that are given to users. A capability is an unforgeable reference that specifies the resource and the permitted operations. Possessing the capability grants the right to use the resource without further identity checks, making this approach efficient but requiring strict control over capability distribution and storage.

Identity-Based Access Control

This approach assigns permissions directly based on the user’s identity or account. The owner explicitly specifies which users can access the resource, often by name or unique identifier. While similar to ACLs, identity-based DAC focuses on mapping permissions directly to user identities rather than maintaining a list that can also reference groups or roles.

How Does Discretionary Access Control Work?

Discretionary access control works by linking each resource to an owner, typically the user who created it, and allowing that owner to decide who can access it and what operations they can perform.

When a user attempts to interact with a resource, the system checks the permissions set by the owner, such as read, write, or execute, against the requesting user’s identity or credentials. These permissions are usually stored in structures like access control lists or capability tokens, which define the exact level of access for each authorized user or group. If the request matches the allowed permissions, the system grants access; otherwise, it denies it. Because control is at the owner’s discretion, permissions can be modified at any time, providing flexibility but also relying heavily on the owner’s understanding of security implications.

What Is an Example of Discretionary Access Control?

An example of discretionary access control is a shared folder on a company’s internal file server where the employee who created the folder is its owner. That employee can right-click the folder’s properties, navigate to the permissions settings, and choose which coworkers can access it and what they can do, such as granting read-only access to one team member, full read/write permissions to another, and denying access entirely to others. The system enforces these permissions whenever someone attempts to open, modify, or delete files in the folder, but the authority to change them remains with the folder’s owner rather than a central administrator.

Discretionary Access Control Uses

Discretionary access control is used in various environments where resource owners need flexibility in assigning permissions and managing access. It is particularly common in systems that prioritize ease of sharing and collaboration over strict centralized control. Here are the primary uses of DAC:

• File system permissions. Operating systems like Windows, Linux, and macOS use DAC to let users manage access to their own files and directories. Owners can set permissions for other users or groups, enabling shared work while retaining control over sensitive data.
• Database access management. Many database systems allow table or record owners to grant or revoke access rights for other users. This approach is often used in collaborative database environments where individual contributors manage the visibility of their data.
• Shared network resources. DAC is applied to shared folders, printers, and other network resources so that owners can control who can use them and at what level, without relying on IT administrators for every change.
• Cloud storage services. Platforms like Google Drive, Dropbox, and OneDrive implement DAC principles by letting file owners decide who can view, comment on, or edit documents. The permissions can be changed instantly and selectively.
• Collaborative applications. Tools such as project management platforms, wikis, or content management systems often use DAC so that the creator of a document, page, or task can choose who has access and what actions they can take.

What Are the Benefits and Challenges of Discretionary Access Control?

Discretionary access control offers notable advantages in flexibility and ease of resource sharing, but it also presents challenges related to security and oversight. Understanding both sides helps determine whether DAC is the right fit for a particular environment or workload.

Discretionary Access Control Benefits

Here are the main benefits of DAC:

• Flexibility in permission management. DAC allows resource owners to grant or revoke access as needed without relying on a central administrator. This makes it easy to adjust permissions dynamically in response to project changes or collaboration needs.
• Ease of use. The permission-setting process in DAC is typically straightforward, enabling even non-technical users to control access to their resources through familiar interfaces like file properties or sharing menus.
• Granular access control. Owners can assign different permission levels, such as read, write, or execute, to individual users or groups, providing precise control over how each resource is used.
• Efficient collaboration. By allowing owners to directly share resources with specific people, DAC streamlines teamwork and eliminates delays that could arise from centralized permission requests.
• Quick adaptability. Permissions can be updated immediately, allowing fast adjustments when roles change, new team members join, or sensitive content needs to be restricted.

Discretionary Access Control Challenges

On the other hand, here are some DAC challenges to look out for:

• Security risks from user misjudgment. Since owners decide who gets access, a lack of security awareness can lead to granting excessive or inappropriate permissions, increasing the risk of data leaks or unauthorized actions.
• Inconsistent permission practices. Without centralized oversight, different users may apply varying standards for granting access, leading to a fragmented and unpredictable security posture.
• Difficulty in auditing and compliance. Tracking and reviewing permissions across multiple owners can be complex, making it harder to ensure compliance with internal policies or external regulations.
• Potential for privilege escalation. Users with granted access can sometimes transfer files or copy data to less secure locations, bypassing intended restrictions.
• Limited scalability in large environments. As the number of users and resources grows, relying on individual owners to manage permissions can create administrative overhead and coordination challenges.

DAC Compared to Other Access Models

Let’s compare DAC with other access models to learn more about their unique characteristics.

What Is the Difference Between RBAC and DAC?

The main difference between role-based access control (RBAC) and discretionary access control is in how permissions are assigned and managed.

In RBAC, access rights are tied to predefined roles within an organization, and users inherit permissions based on the roles they are assigned. This creates a centralized, policy-driven model that enforces consistent permission structures across all users in similar positions

In DAC, permissions are determined by the individual owner of a resource, who can grant or revoke access at their discretion. This makes DAC more flexible and user-driven but less consistent and harder to control in large environments.

What Is the Difference Between DAC and MAC?

The main difference between mandatory access control (MAC) and discretionary access control lies in who determines access rights and how strictly they are enforced.

In MAC, access decisions are centrally managed by a system or security administrator based on predefined policies and security labels, leaving no discretion to individual users. This model is common in high-security environments such as government and military systems.

In DAC, the resource owner, typically the creator, has full authority to decide who can access the resource and at what level, offering greater flexibility but also relying on the owner’s judgment, which can introduce security risks.

What Is the Difference Between ACL and DAC?

Discretionary access control is a broader security model in which the owner of a resource determines who can access it and what operations they can perform, while an access control list is a specific mechanism often used to implement DAC.

In DAC, the concept centers on the owner’s authority to grant or revoke permissions at their discretion, regardless of the enforcement method. An ACL, on the other hand, is a structured list attached to a resource that explicitly defines which users or groups have specific access rights.

While ACLs are commonly used within DAC systems, they can also be applied in other access control models, such as mandatory access control, making them a technical tool rather than an access control philosophy.