Discretionary Access Control: How It Works

Discretionary access control, frequently abbreviated to DAC, is the most widely used access control model. Under discretionary access control, every object in a system has an owner, and this owner can allocate access for the object at their discretion. By default, an object’s owner is usually the person who created it.

Discretionary access control is the backbone of nearly all consumer operating systems, including Windows and macOS. It’s also commonly used for cloud services such as Google Drive. Whether you know it or not, you are almost certainly using some form of discretionary access control in your day-to-day computing life.

The discretionary access control model is popular because of the flexibility it offers. It essentially puts power in the hands of individual object owners. As such, it entails quite a bit less overhead than most other access control models. But discretionary access control can become unmanageable for larger organizations, especially if thousands of individual employees might be object owners.

How Discretionary Access Control Works

Under discretionary access control, an objects’ owner is in charge of access to it. Typically, the object’s owner is the person who created it. If you create a Google Doc, for instance, you become the owner of that document. From there, you can hand out access privileges to other people.

But ownership does not always belong to an objects’ creator. You might have a shared folder in which any objects created default to the folder’s owner. And in any case, an object’s owner can always decide to transfer ownership to someone else.

Discretionary access control operates by using access control lists, or ACLs. Every object under DAC has its own access control list, which lists access control entries, or ACEs, for individual users and groups.

The access control list for a document might include entries for Greg, Carrie, and Sylvester. Greg might have permission to read the document, Carrie might have permission to read and modify the document, and Sylvester might have broader administrative powers. Let’s work through another example, showing how access control works in Windows.

Discretionary Access Control in Windows

You can see the access control list for any object in Windows by right clicking the object, opening its Properties, and then opening the Security tab on this window. You can see an example in the screenshot below.

The upper panel, titled “Group or user names,” lists users. The lower panel lists access rights given to each user. From lowest to highest access level, these include:

  • List folder contents: Allows a user to see the file names and subfolders contained in a folder, but permits no further access to view or edit the files themselves.
  • Read: Allows a user to view or copy the file or folder, or the items contained within a folder.
  • Read and execute: Includes all Read privileges, plus the ability to run applications.
  • Write: Includes all Read privileges, plus the ability to add files and subfolders.
  • Modify: Includes all Write privileges, plus the ability to modify or delete files and subfolders.
  • Full control: Includes all of the above permissions, plus the ability to change permissions for all files and subfolders.

For each of these settings, “Allow” means a user has the privilege in question; “Deny” means they do not. If a user is not listed, they are denied access based on the implicit deny principle: if access isn’t explicitly allowed, it is denied by default.

Permissions can be modified by the object’s owner or by any user with full control. The owner can always change these permissions, even if they have no other access explicitly listed. You can find the objects’ owner by clicking the Advanced button on this panel.

The objects’ owner doesn’t always have unlimited authority. In many systems, administrators and other high level users can supersede the owner and take ownership of the object.

Discretionary access controls form the foundation of access control in Windows. But users can also implement role-based access controls by setting up groups and shared settings. Windows also uses elements of mandatory access control to protect the core of its operating system and security features from malware.

Strengths & Weaknesses of Discretionary Access Control

The biggest strength of discretionary access control is its flexibility. By putting power in the hands of ground level users, DAC makes it easier for the people doing the work to do their jobs and manage access to the work they own.

Discretionary access control’s ubiquity is another major strength: most people use DAC every day, without even realizing it. It’s not hard to implement a basic DAC system – if you don’t have a conscious policy in place, most of your computer systems are probably operating on DAC principles by default.

On the downside, discretionary access control tends to get unwieldy the larger the organization gets. A system that’s light and flexible for a small team can become downright convoluted at an organization where any of a thousand users might be the owner of any given object. There are ways to administer DAC at larger organizations – but many of these methods point to the role-based access control model, in which users are grouped to simplify access control.

Discretionary access control systems can also face security issues, especially if you simply let default DAC systems run their course from the ground up with no administrative guidance. These controls work best as part of a carefully considered access control policy, including security awareness training to make sure you’re putting access control power in the hands of well-educated users.

Alternatives to Discretionary Access Control

All told, discretionary access control is a highly effective and user-friendly access control model. It works perfectly for individuals and small teams; and with the right policies in place, it can even scale up to handle much larger organizations.

You might also consider role-based access control, which allocates access based on specific roles, such as “Accounting”, “HR”, or “C-team”. This group-based model is a natural fit for organizations, and it can greatly simplify access management relative to discretionary access control.

For a high-security option, you might also consider mandatory access control, or MAC. This model gives both users and objects security labels, such as Classified, Secret, and Top Secret. To access a given object, a user must have a security label matching or exceeding that of the object.

Mandatory access control is often considered the most secure access control model, but it’s also highly rigorous to implement. There’s a reason the U.S. Department of Defense uses it, but for most businesses, MAC is too stringent to use for everyday purposes.

That said, you can always implement elements of different access control models. Windows is based on a foundation of discretionary access control, for instance, but includes elements of mandatory access control to shore up critical vulnerabilities, and gives users the tools to readily implement role-based access control. While it’s helpful for an organization to have an overarching access control policy, these models are not mutually exclusive.

To learn more, see our complete guide, which covers eight access control models.

Leave a Comment