Discretionary Access Control

from Wikipedia, the free encyclopedia

Discretionary Access Control ( DAC ) or user-definable access control is a security concept for IT systems. The decision as to whether a resource can be accessed is made solely on the basis of the actor's identity . This means that the access rights for (data) objects are defined for each user . A strengthening of this concept is the use of user roles and groups (see Role Based Access Control ).

Discretionary Access Control is the opposite of Mandatory Access Control , which allows access based on general rules and additional information about the actor.


Formally, access rights in a system with discretionary access control can be described as a relation of subject, object and right: (S, O, R) → {yes, no}; This corresponds to a matrix of S × O entries (one entry per subject-object pair), with each entry being the set of rights that the subject has to the object, i.e.: r (o, s) → R *.

A special feature is that subjects can pass on their own rights to other subjects, while with Mandatory Access Control only a central administrative authority can assign rights.

In this context , subjects are actors , e.g. users , processes or programs . Objects are data or resources (such as files , printers, etc.) on which a subject can perform operations. It should be noted that subjects can also be objects at the same time: An administrator (subject), for example, has the right to delete a user (in this context an object). Conversely, an object can become a subject, for example when a program is “started”, ie a process is created from a file.

One way of displaying the access rights that takes this factor into account is to display them as a graph with directed, labeled edges: Each node in the graph corresponds to a subject or object, and each edge to a "has rights" relationship.

Under Unix and Windows , rights are assigned via a shared access control list managed by the administrator, also known as a DACL (Discretionary Access Control List). The entries in this list are abbreviated as ACE (Access Control Entry). Monitoring settings are controlled via the SACL (System Access Control List), which contains all security roles and generates the events when the DACL is accessed.


It may be necessary to grant the user extended access rights for certain restricted operations. An example of this is when the user changes his or her own password under Unix .

To enable such operations, the corresponding program is provided with the so-called SUID flag under Unix , so that the program is executed under the user identification of the owner of the program file. Often this is the root user who has access to all system resources on a Unix system.

This creates the risk that an unauthorized person could gain full control of the system by exploiting a security gap.

For this reason, extensions were developed for certain operating systems, such as Linux or FreeBSD , which are based on a different security concept. With these enhancements, decisions about access rights are no longer made solely on the basis of the user identification under which a Unix program is executed. This prevents an attacker from taking full control of a system by exploiting a security hole.

See also

Individual evidence

  1. Role-Based Access Controls (PDF; 62 kB), David F. Ferraiolo and D. Richard Kuhn, 15th National Computer Security Conference, 1992, NIST.