Non Discretionary Access Control: Definition & More

Non-discretionary access control (NDAC) can refer to any access control model besides discretionary access control (DAC). NDAC often refers to mandatory access control (MAC), in which permission is granted only if the subject’s clearance matches the sensitivity level of a given object.

Discretionary access control is called ‘discretionary’ because subjects can readily pass on access permissions at their discretion. When you run a program in Windows, for instance, you grant the application broad access to your system. If an access control model does not allow users to pass along access privileges at their discretion, it is thus a non-discretionary access control model.

Mandatory Access Control (MAC)

When people use the term ‘non-discretionary access control’, they’re often referring to mandatory access control. Under mandatory access control, both subjects and objects are assigned a clearance level. To access an object, a subject’s clearance level has to match the object’s.

The classification system used by the United States military provides a classic example of mandatory access control. Individual files and objects are assigned labels such as Top Secret, Secret, and Classified. A user with a Top Secret clearance on a given topic can access all three levels, where a user with a Classified label can only access Classified information on the topic.

Mandatory access control is generally considered the strictest access control model, which is why it’s used for high stakes security, such as matters of national defense. The downside is that it’s rigorous to implement, and entails quite a bit of bureaucracy to manage. For your typical business, implementing mandatory access control might be more trouble than it’s worth.

Fortunately, there’s always discretionary access control – as well as several other models of non-discretionary access control.

Other Non-Discretionary Access Control Models

Any access control model that does not allow users to pass on access at their discretion can be considered a non-discretionary access control model. These include the following:

  • Under role-based access control, access is granted based on roles which are assigned by an administrator.
  • Under rule-based access control, access is determined based on set rules. This form of access control is typically used by routers and firewalls to ensure network security.
  • Under attribute-based access control, access is determined based on user attributes, such as job title, team, location, and device.

These are just a few examples of non-discretionary access control models. You can find more – and learn about the above models in greater detail – in our complete guide to access control models.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.

2 thoughts on “Non Discretionary Access Control: Definition & More”

  1. Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,, and you can Text/Call &WhatsApp: +1 (773)-609-2741, or +1201-430-5865, and figure out your relationship status. I wish you the best.

  2. I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp him on +12014305865, or +17736092741..


Leave a Comment