Open in app

Sign in

Write

Sign in

Discretionary and Mandatory Access Access Control

Gangani Chamika
4 min readMay 17, 2022
Photo by Jose Fontano on Unsplash

Access control plays a vital role in a multiple user environment where it is critical to ensure that people can only access what they need by placing the restrictions accordingly. Access control regulates which users, applications, and devices can add, edit, view and delete resources in an organization’s environment to protect sensitive data from misuse, theft, abuse, and other threats.

However, choosing a relevant access control model can be tricky. The process of choosing and deploying an access control model looks different for each organization. This choice can depend on the nature of the protected data, IT requirements and industry standards, the number of employees, cybersecurity budget, etc.

Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are two of the popular access control models in use. The key difference among these two approaches is in how they provide access to users. With MAC, admins creates a set of levels where each user is linked to a specific access level where that user can access all the resources that are not greater than his access level. In contrast, each resource in DAC has a list of users who can access it. DAC provides access by identity of the user and not by permission level.

Let’s learn more about these two approaches

Discretionary Access Control(DAC)

Simply DAC is identity-based access control which the owner of a resource restricts access to the resource based on the identity of the users. Furthermore, DAC mechanisms will be controlled by user identification such as username and password. DAC is discretionary because the resource owners determines who can access and what privileges they have.

How DAC works…

  • Alex creates a file and becomes its owner or obtains access rights to an existing file.
  • Bob requests access to this file.
  • Alex grants access at their own discretion. However, Alex can’t grant access rights that exceed their own. For example, if Alex can only read a document, he can’t allow Bob to edit it.
  • If there’s no contradiction between the access control list created by an administrator and the decision made by Alex, access is granted.

Furthermore, the following attributes are available in DAC.

  • The object characteristics such as file size, directory path, and file name are not visible to unauthorized users.
  • User’s object ownership can be transferred to another user.
  • The access type of other users can be determined by the user.
  • Authorization failure can restrict the user access after several failed attempts.

Mandatory Access Control(MAC)

In MAC, access is determined by the system, not by the owner which will provide access to the user based on their identities and data. For gaining access, the user has to submit their personal information. It is very secure because the rules and restrictions are imposed by the admin and will be strictly followed. MAC settings and policy management will be established in a secure network and are limited to system administrators.

How MAC works…

  • The administrator configures access policies and defines security attributes: confidentiality levels, clearances for accessing different projects and types of resources.
  • The administrator assigns each subject (user or resource that accesses data) and object (file, database, port, etc.) a set of attributes.
  • When a subject attempts to access an object, the operating system examines the subject’s security attributes and decides whether access can be granted.

Furthermore, the following attributes are available in MAC.

  • MAC has tighter security that only the administrator can access or alter controls.
  • MAC policies can help to reduce system errors.
  • MAC has an enforced operating system that can label and delineate incoming application data.
  • Maintenance will be difficult because only the administrator can have access to the database.

Summary of the two approaches…

  • Access controls: In DAC, the owner can determine the access and privileges and can restrict the resources based on the identity of the users while in MAC, the system only determines the access and the resources will be restricted based on the clearance of the subjects.
  • Flexibility: DAC has high flexibility with no rules and regulations. MAC is not flexible as it contains lots of strict rules and regulations.
  • Labour Intensity Level: MAC is not labour-intensive. DAC is extra labour-intensive comparatively.
  • Granularity: In DAC users can assign access rights for any other user or group, while in MAC, admins adjust clearances for each user and object manually.
  • Implementation: DAC is easier to implement than MAC.
  • Security: MAC is more secure than DAC.
  • Applicable parties: DAC can be applied in all domains. MAC can be applied in the military, government, and intelligence.

As a conclusion…

MAC and DAC are two opposite models of access control. MAC is controlled by administrators and requires lots of time and effort to maintain, but it provides a high level of security. DAC is much easier to implement and maintain, as users can manage access to the data they own. However, DAC isn’t good enough for protecting sensitive data. Moreover, DAC works well for organizations that require flexibility and user-friendly workflows. On the other hand, MAC is more efficient for organizations that work with highly sensitive data.

To better protect data and improve security, adding effective access control policies is crucial. Therefore choosing the most suitable access control model is upto the business that you need to operate based on the above discussed facts.

--

--

Gangani Chamika

Written by Gangani Chamika

168 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams