Discretionary Access Control (DAC) – Complete Study Guide for ISC2 CC Exam
Why Discretionary Access Control (DAC) Matters
Discretionary Access Control (DAC) is one of the foundational access control models in information security. Understanding DAC is critical for the ISC2 Certified in Cybersecurity (CC) exam because it represents the most common access control model used in everyday computing environments. From file permissions on your personal computer to shared folders on a corporate network, DAC is embedded in the systems we interact with daily. A solid understanding of DAC enables security professionals to recognize its strengths, weaknesses, and appropriate use cases — all of which are testable topics on the CC exam.
What Is Discretionary Access Control (DAC)?
Discretionary Access Control (DAC) is an access control model in which the owner (or creator) of a resource has the discretion (choice) to determine who can access that resource and what level of access they are granted. The word discretionary is key — it means the access decisions are left to the judgment of the resource owner rather than being enforced by a central authority or system-wide policy.
Key characteristics of DAC include:
• Owner-controlled permissions: The person who creates or owns a file, folder, or object decides who else can read, write, execute, or modify it.
• Identity-based access: Permissions are granted based on the identity of users or groups of users.
• Flexible and decentralized: Each owner manages access to their own resources independently.
• Common implementations: Windows NTFS file permissions, Unix/Linux file permissions (rwx for owner, group, others), and Access Control Lists (ACLs) are classic examples of DAC.
How DAC Works
1. Resource Creation: When a user creates a resource (such as a file, folder, or database record), that user automatically becomes the owner of that resource.
2. Owner Sets Permissions: The owner then has the ability to set permissions on the resource. These permissions specify which other users or groups can access the resource and what actions they can perform (e.g., read, write, execute, delete).
3. Access Control Lists (ACLs): DAC commonly uses ACLs to define permissions. An ACL is a list associated with an object that specifies which subjects (users or groups) have what type of access. For example:
- User A: Read, Write
- User B: Read only
- Group Finance: Read, Write, Execute
4. Permission Propagation: In many DAC implementations, the owner can grant other users the ability to further share or delegate access. This is a significant feature — and a significant risk — of DAC. A user who receives access may, in turn, grant access to others, sometimes without the original owner's knowledge.
5. Access Decisions at Runtime: When a subject (user or process) attempts to access an object (file, resource), the operating system or application checks the ACL to determine if the subject has the required permissions. If the subject's identity matches an entry in the ACL with the appropriate permission, access is granted; otherwise, it is denied.
Advantages of DAC
• Flexibility: Owners can quickly and easily grant or revoke access as business needs change.
• Ease of use: DAC is intuitive — most users understand the concept of sharing files and setting permissions.
• Widely implemented: Most commercial operating systems (Windows, macOS, Linux) use DAC as their default access control model.
• User autonomy: Empowers users to manage their own resources without always requiring administrator intervention.
Disadvantages and Risks of DAC
• Lack of centralized control: Because each owner manages permissions independently, there is no guarantee that organizational security policies are consistently enforced across all resources.
• Vulnerability to Trojan Horse attacks: A malicious program running under a user's identity can inherit that user's permissions and access (or share) resources without the user's knowledge. This is a classic weakness of DAC and a frequently tested concept.
• Permission creep: Over time, permissions may accumulate as users share access broadly, leading to excessive access rights.
• Difficult to audit: With many individual owners making independent decisions, tracking and auditing who has access to what becomes challenging.
• Not suitable for high-security environments: Because of its inherent flexibility and lack of mandatory controls, DAC is generally considered insufficient for environments requiring strict data classification and compartmentalization (e.g., military or intelligence systems, which typically use Mandatory Access Control — MAC).
DAC vs. Other Access Control Models
Understanding how DAC compares to other models is essential for the exam:
• DAC vs. MAC (Mandatory Access Control): In MAC, access decisions are made by the system based on security labels and clearance levels, not by the resource owner. MAC is more rigid and is used in high-security environments. DAC gives control to the owner; MAC gives control to the system/policy.
• DAC vs. RBAC (Role-Based Access Control): In RBAC, access is granted based on a user's role within the organization, not by the resource owner's discretion. RBAC is centrally managed and scales well in enterprise environments.
• DAC vs. ABAC (Attribute-Based Access Control): ABAC uses attributes (user attributes, resource attributes, environmental conditions) to make access decisions. It is more granular and dynamic than DAC.
The key distinction to remember: DAC is the only model where the resource owner has discretion over who can access the resource.
Real-World Examples of DAC
• A user creates a spreadsheet on a Windows file server and uses the file's Properties > Security tab to grant read access to specific colleagues and full control to their manager.
• On a Linux system, a user sets file permissions using chmod to allow group members to read and execute a script, while restricting others from any access.
• A user shares a Google Drive document and specifies which email addresses can view or edit the file.
Exam Tips: Answering Questions on Discretionary Access Control (DAC)
1. Look for the word 'owner': If a question mentions that the owner or creator of a resource controls who has access, the answer is almost certainly DAC. Owner-based permission management is the hallmark of DAC.
2. Remember the Trojan Horse weakness: DAC's most commonly cited vulnerability is its susceptibility to Trojan Horse attacks. If a question asks about an access control model vulnerable to Trojan Horse programs or malware inheriting user permissions, think DAC.
3. Distinguish DAC from MAC: If a question involves labels, classifications, clearances, or system-enforced policies, the answer is MAC, not DAC. If the question emphasizes user choice, owner discretion, or individual permission management, the answer is DAC.
4. ACLs are associated with DAC: Access Control Lists are a core mechanism of DAC. If a question describes permissions being set via an ACL on a file or object by the owner, it is describing DAC.
5. Flexibility = DAC; Rigidity = MAC: DAC is the most flexible (and least restrictive) of the traditional access control models. MAC is the most restrictive. RBAC falls in between.
6. Least secure of the major models: For exam purposes, DAC is generally considered the least secure access control model because it relies on individual users to make good security decisions. This is a common exam point.
7. Know that DAC is the default in most commercial OS: Windows, Linux, and macOS all implement DAC by default. This fact may appear in scenario-based questions.
8. Permission delegation risk: If a question describes a scenario where User A grants access to User B, and then User B grants access to User C without User A's knowledge, this illustrates a key risk of DAC — uncontrolled permission propagation.
9. Watch for distractors: Questions may try to confuse DAC with RBAC by describing a scenario where users share files. Focus on who makes the access decision. If it's the resource owner, it's DAC. If it's based on organizational roles assigned by an administrator, it's RBAC.
10. Scenario-based questions: The CC exam often uses scenario-based questions. When you see a scenario describing a typical office environment where employees share files and set their own permissions, identify it as DAC. When you see a scenario involving classified documents with security labels, identify it as MAC.
Summary
Discretionary Access Control (DAC) is an access control model where the resource owner determines who can access the resource and at what level. It is flexible, intuitive, and widely used in commercial operating systems. However, its decentralized nature makes it vulnerable to Trojan Horse attacks, permission creep, and inconsistent policy enforcement. For the ISC2 CC exam, always associate DAC with owner discretion, ACLs, flexibility, and Trojan Horse vulnerability, and be prepared to contrast it with MAC, RBAC, and ABAC.
