34,333
edits
Changes
→Discretionary Access Control
== Discretionary Access Control ==
Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data.
Under DAC a user can only set access permissions for resources which they already own. A hypothetical ''User A'' cannot, therefore, change the access control for a file that is owned by ''User B''. ''User A'' can, however, set access permissions on a file that she owns.
Instead of a ''security label'' in the case of MAC, each resource object on a DAC based system has an ''Access Control List'' (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. For example, ''User A'' may provide read-only access on one of her files to ''User B'', read and write access on the same file to another ''User C'' and full control to any user belonging to ''Group 1''.
