Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of Graph Search.
Concept
Discretionary access control
Summary
In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).
Discretionary access control is commonly discussed in contrast to mandatory access control (MAC). Occasionally, a system as a whole is said to have "discretionary" or "purely discretionary" access control when that system lacks mandatory access control. On the other hand, systems can implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that subjects can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.
The meaning of the term in practice is not as clear-cut as the definition given in the TCSEC standard, because the TCSEC definition of DAC does not impose any implementation. There are at least two implementations: with owner (as a widespread example) and with capabilities.
The term DAC is commonly used in contexts that assume that every object has an owner that controls the permissions to access the object, probably because many systems do implement DAC using the concept of an owner. But the TCSEC definition does not say anything about owners, so technically an access control system doesn't have to have a concept of ownership to meet the TCSEC definition of DAC.
Users (owners) have under this DAC implementation the ability to make policy decisions and/or assign security attributes. A straightforward example is the which represent write, read, and execute in each of the 3 bits for each of User, Group and Others. (It is prepended by another bit that indicates additional characteristics).
Official source
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.
Ontological neighbourhood
Related publications (50)