
Cyber Security
Discretionary Access Control in Cybersecurity: A Complete Guide
Andrea Abbondanza ,
03 Jul, 2025
In an organisational system or company, a significant amount of access is required for various groups or different users. It applies to many organisations, such as corporate offices and government organisations. With important organisational data being accessed by multiple people, there must be effective, structured, and secure access control to mitigate potential risks. In that case, Discretionary Access Control (DAC) plays a crucial role in maintaining the organisation’s control system effectively. Read this article to learn about the importance of DAC.
What is discretionary access control?

Discretionary access control (DAC) is an effective and efficient security method, making it a commonly used approach among small businesses and organisations that frequently collaborate with other partners. The DAC system is managed by data owners, making data access more efficient. In DAC, organisations can allow multiple users to access and share information, modify object attributes, and set various forms of access control without requiring central authorisation. The advantage of using discretionary access control is that it is easy to implement and provides users with control over their data. However, with that control comes responsibility, especially in larger teams where access needs to be managed carefully.
How does discretionary access control work?

DAC works by tying access permissions directly to the file’s owner. When someone creates a file or folder, they become its owner and can set rules for who else can view or change it. This can be both an advantage and a disadvantage of using Discretionary Access Control (DAC). Other members of the internal team will have easy access to the data because the owner has granted permission and access, eliminating the need to spend time requesting approval and manually accessing the data. However, if the owners do not update their members regularly, old access permissions may linger and would led to insider threat. Therefore, DAC works by granting permissions to other groups and managing the account control list.
When do you use DAC?

Discretionary access control is ideal when users need complete control over their files, and fast collaboration is a top priority. This system works well in business environments where team members frequently create, share, and update documents. DAC is also well-suited for environments that do not require strict access rules, such as marketing or creative teams.
By using DAC, organisations can access information easily and with reasonable control, as this access control system is highly flexible. However, there are a few key considerations to keep in mind, such as ensuring that data shared with multiple groups does not contain sensitive information and regularly updating permission lists to reflect changes.
Benefits of DAC

Speed and efficiency
Applying discretionary access control to an organisation saves a significant amount of time because each user does not have to go through a lengthy process to obtain data. Moreover, users can grant or remove access in seconds without waiting for an admin. The existence of DAC means improving the quality of teamwork within the team and making work easier.
Flexibility
Discretionary access control is highly flexible because it allows freedom to manage access within a system. With the DAC system, organisations that frequently change members or those that often collaborate will work more effectively and make it easier for every user.
Simple policy management
Using discretionary access control does not require a long and challenging process, making it easy for all users to use even without assistance from the tech dev team. DAC does not employ a complex system, aiming to make it easy for users to gain access with just a few clicks. There are also no lengthy approval chains because the data owners manage it.
Low administrative burdens
One of the advantages of DAC that makes it popular among many organisations is that it can reduce administrative burdens. Not all users require assistance from the IT team, which will lower their workload. As a result, administrative processes can be carried out efficiently without requiring prior permission.
DAC Rules
Understanding the basic rules of DAC is crucial to grasping how it operates. These rules set clear guidelines for who controls access, how permissions are granted, and how users are grouped.
Owner
DAC is a system managed by a data owner who controls all access within the organisation, making it the heart of DAC. The owner is the user responsible for granting permissions, allowing other users to edit and access data. In addition to granting permissions, the owner can also modify access at any time. This gives individuals the freedom to manage their data but also places a significant amount of responsibility on them to ensure they are not inadvertently sharing sensitive or private information. Therefore, proper access management by the owner is essential to avoid potential security risks within the data security.
ACL List
ACL, or Access Control List, is an essential component of DAC because it is a list of various users who can access data within an organisation. Therefore, only users on the list can easily obtain permissions, including viewing, modifying, deleting, or executing a file. When you set permissions for a document in a shared folder, the ACL is where those permissions are recorded.
Users & Groups
While owners control individual permissions, access can also be assigned to groups. Groups are beneficial in larger teams or organisations where many users need similar access rights. Instead of granting permissions to each user individually, a group is created, and all users in that group inherit the same permissions. For instance, a team working on a project might be assigned a group with read-and-write access to all project files.
DAC in action
Here are some real-life examples to understand how it works in practice. It will demonstrate the strengths and weaknesses of DAC and how it plays out in typical workplace scenarios.
Example one: A product manager’s data access lingers
Not all product managers have long-term contracts, especially when working on a short-term project. During the project and while working with many other employees in an organisation, they naturally have access to various organisational data and may even encounter sensitive or private information. Once the project is complete, the product manager may still have access to this data and could misuse sensitive information, especially if the product manager moves to another organisation. In this case, the challenge of DAC lies in the potential for forgotten or overlooked permissions.
Example two: Contractors with persistent permissions
A contractor sometimes hires several temporary staff to maintain workforce flexibility. The primary reason for hiring temporary workers is typically for projects that do not last too long, allowing the organisation to avoid the considerable costs associated with permanent staff. With DAC, which means granting access to non-permanent staff, this can lead to potential risks if access is not managed correctly. Regular audits are necessary to ensure that all access rights are current and relevant, but this isn’t always feasible, especially in larger companies or teams.
Challenges of DAC
While DAC is a flexible and helpful method for managing file access, it does have its challenges. Let’s examine some of the most common issues that arise with DAC systems and explore why they necessitate careful management and attention.
Lack of visibility
One of the biggest challenges of DAC is the lack of visibility into who has access to what. Since users control their permissions, it can become difficult for administrators or IT teams to track and review access rights across an entire organisation. As permissions are updated on an individual basis, there is no central record that shows who has access to which files or resources at any given time.
Security
While DAC provides flexibility, it can also expose organisations to risks if users aren’t careful with how they manage access. For example, users may unintentionally grant access to sensitive data to individuals who shouldn’t have it. Because DAC relies on individual users to make decisions, mistakes are more likely to happen, and malicious insiders could misuse the system. In organisations with large numbers of users or complex projects, access can be too freely given, increasing the likelihood of a data breach. To mitigate this risk, it’s important to implement strict policies, provide training on proper access management, and regularly audit access control lists.
Poor data protection
With DAC, data protection can be more challenging to enforce. Since users can manage their permissions, files can be shared, copied, or modified without oversight. This could lead to accidental data loss, unauthorised data distribution, or even malicious actions. DAC is typically not as secure as more restrictive models, such as Mandatory Access Control (MAC), which provides centralised control over permissions.
Maintenance
Maintaining a DAC system can be time-consuming, especially in larger organisations. As team members come and go, it’s easy to forget to update access permissions, resulting in outdated or unnecessary access remaining in the system. Inactive users may still have access to files they no longer need, increasing the risk of a security breach.
Frequently Asked Questions
What is the difference between DAC and RBAC?
DAC gives control to the file owner, while Role-Based Access Control (RBAC) assigns access based on a person’s job role. However, RBAC is more structured and works better in large teams. On the other hand, DAC is more flexible but can be riskier without strong policies.
What is the difference between DAC and Mac?
Mandatory Access Control (MAC) is stricter than DAC. In MAC, only system administrators can decide who gets access. It’s used in high-security environments. Otherwise, DAC is user-managed and easier to change, but it is also more prone to mistakes.
What is the difference between ACL and DAC?
An Access Control List (ACL) is a tool used within DAC. DAC is the overall model, and ACL is the mechanism for recording and managing permissions. DAC could be defined as the system, and ACL is the mechanism by which that system keeps track of access.
Conclusion
Discretionary access control is a helpful and straightforward method for managing digital access, particularly in fast-paced environments where collaboration is essential. But with its ease comes risk, so it needs to be handled with care. Knowing when to use DAC and how to maintain it can make all the difference in keeping your data safe and your team efficient. If you’re in charge of system access, understanding DAC is a crucial step toward enhanced security management.
