Discretionary Access Control (DAC)
- Access Control List (ACL) is a way to implement DAC
Présentation 1
The owner of a protected system or resource sets policies defining who can access it.
DAC can involve physical or digital measures, and is less restrictive than other access control systems, as it offers individuals complete control over the resources they own.
However, it is also less secure, because associated programs inherit security settings and allow malware to exploit them without the knowledge of the end-user.
You can use Role Based Access Control (RBAC) to implement DAC.
Présentation 2
Access management where owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource.
These systems rely on administrators to limit the propagation of access rights.
DAC systems are criticized for their lack of centralized control.
Présentation 3
If you have used any platform such as Windows, Mac or Linux, you can easily understand and appreciate this model. If you create a folder in any of these, you can easily add/delete/modify the permissions which you want to give to different subjects. Sounds confusing? Well, it isn't. Let's take an example to understand this.
I have created a folder named "SSCP Video Course". Now since I'm the owner, it is my discretion to assign various permissions for users. I can go to the"Security" Tab and "Edit" permissions and define what users need to be given "Full control" or which users can only be given "Read" Access. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner.
There is another term which is used quite often with reference to the models. It is the Access Control List. An ACL for a file would list all the users and/or groups that are authorized access to the file and the specific access granted to each.
While all seems good in the world of DAC, there are some issues with this model. While this model offers the best flexibility amongst any of the model, it is also its weakest point. For example, if a user opens an attachment that is infected with a virus, the code can install itself in the background without the user being aware of this activity. This code basically inherits all the rights and permissions that the user has and can carry out all the activities a user can perform on the system. It can send copies of itself out to all the contacts listed in the user's e-mail client, install a back door, attack other systems, delete files on the hard drive, and more. The user is actually giving rights to the virus to carry out its dirty deeds, because the user has very powerful discretionary rights and is considered the owner of many objects on the system. And the fact that many users are assigned local administrator or root accounts means that once malware is installed, it can do anything on a system.
Présentation 4
DAC is the way to go to let people manage the content they own. It might sound obvious, but for instance DAC is very good to let users of an online social network choose who accesses their data. It allows people to revoke or forward privileges easily and immediately. Reactive access control, Seeing further and Laissez-faire file sharing provide nice examples of research on DAC with users.
Backlinks