What Does DAC Mean?
On This Page
Quick Definition
DAC stands for Discretionary Access Control. It means the person who creates a file or folder gets to decide who else can see or change it. Think of it like owning a house and giving keys to only the people you choose. This is common in Windows file systems where you set permissions on your documents.
Commonly Confused With
In MAC, the system enforces access based on labels (e.g., Top Secret) and the user cannot override them. In DAC, the owner decides. MAC is used in military settings; DAC is used in everyday business.
A government file labeled Secret cannot be read by someone with a 'Confidential' clearance, even if the file's owner wants to share it. That is MAC.
RBAC assigns permissions to roles (e.g., 'Manager') and users get permissions by being assigned the role. In DAC, permissions are directly assigned by the owner, not through roles. RBAC is more centralized.
In a hospital, all doctors can view patient records because of their role (RBAC). In DAC, a doctor might share their own notes with a specific nurse.
ABAC uses attributes (user location, time of day, device type) to make access decisions. DAC only uses identity and owner's choices. ABAC is more dynamic and policy-driven.
A system allows access only if the user is inside the office network and it is during business hours. That is ABAC, not DAC.
Must Know for Exams
DAC appears across all three major exams listed: ISC2 CISSP, CompTIA Security+, and ISC2 CC. For Security+, DAC is a core concept in Domain 3 (Implementation) under Access Control Models. You will need to differentiate DAC from MAC, RBAC, and ABAC. The exam often presents a scenario where a user can share a file with others, and asks which access control model is in use. The answer is DAC because the owner has discretion. Multiple-choice questions may also ask about the primary characteristic of DAC: ownership.
For ISC2 CC (Certified in Cybersecurity), DAC is covered in the Access Controls domain. The exam expects you to know that DAC is identity-based and that the resource owner controls permissions. You should understand the concept of ACLs and how they enforce DAC. The CC exam is more foundational, so depth is less than CISSP but knowledge must be precise.
For ISC2 CISSP, DAC is a major topic in Domain 5 (Identity and Access Management). The exam goes deeper. You must understand the TCSEC criteria, the difference between discretionary and mandatory controls, and the security implications of DAC, including the Trojan horse problem. CISSP questions may present a complex scenario where a DAC configuration leads to a privilege escalation. You may also need to know how DAC is implemented in different operating systems, such as Windows DACL vs. Linux file permissions. The CISSP will not ask you to configure a DACL, but it will test your understanding of how DAC works conceptually and what its limitations are.
Across all exams, you can expect scenario-based questions where you must identify the access control model from a description. A typical question: A manager can decide who accesses a project folder. This is DAC. Another common trap: if the operating system enforces the rules regardless of the user's wishes, that is MAC. Knowing these distinctions is critical for exam success.
Simple Meaning
Discretionary Access Control, or DAC, is a way of managing who gets to use files and other resources on a computer or network. The word "discretionary" is the key here. It means that the owner of a resource gets to use their own judgment, or discretion, to decide who else can access it. This is very different from other systems where a central administrator makes all those decisions.
Imagine you have a digital photo album on your laptop. Under DAC, you are the owner of that album. You can decide to share it with your best friend by giving them read-only access, meaning they can look at the photos but not change or delete them. You could also give your family full control, allowing them to add or remove pictures. The important point is that the power sits with you, the owner. This is how many everyday computer systems work. When you right-click a folder in Windows and go to Properties, then the Security tab, you are looking at the DAC settings for that folder.
In contrast, a Mandatory Access Control (MAC) system would not let you make those choices. Instead, a central administrator would set rules based on security labels, and you would have no say in who else can see your files. DAC is more flexible and user-friendly, which is why it is so common. However, this flexibility also creates risk. If a user is not careful and gives too many people access to a sensitive file, a data breach can happen. For IT professionals, understanding DAC is the first step toward securing any environment, because it is the default access control model for most operating systems and applications.
Full Technical Definition
Discretionary Access Control (DAC) is an access control model defined by the Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book. In DAC, the owner of an object-such as a file, directory, or registry key-has the authority to grant or revoke access permissions to other subjects (users or processes) at their own discretion. The identity of the subject and the permissions it holds are used to determine access, typically enforced through an access control list (ACL) associated with each object.
In modern operating systems like Windows, Linux, and macOS, DAC is implemented using ACLs. Each object has a security descriptor that includes a DACL (Discretionary Access Control List). The DACL contains a list of access control entries (ACEs). Each ACE specifies a security identifier (SID) for a user or group, along with the allowed or denied permissions (e.g., read, write, execute, delete). When a subject attempts to access an object, the system checks the DACL in order. If a matching ACE denies access, the request is denied. If no deny ACE is found but an allow ACE matches, access is granted. If no ACE matches at all, access is implicitly denied.
DAC is contrasted with Mandatory Access Control (MAC) and Role-Based Access Control (RBAC). In MAC, system-wide policies override user permissions, and labels like Top Secret and Secret are used. In RBAC, permissions are assigned to roles, and users are assigned to roles. DAC is more granular and user-driven, making it suitable for environments where users need flexible sharing capabilities. However, DAC is vulnerable to attacks such as privilege escalation via Trojan horses. If a user with DAC permissions runs malicious code, that code can inherit the user's permissions and access resources the user did not intend to share. This is a major security consideration.
DAC is a core topic in CompTIA Security+, ISC2 CC, and ISC2 CISSP exams. Candidates must understand the difference between DAC, MAC, and RBAC. They must also know the structure of ACLs, the difference between explicit and inherited permissions, and the principle of least privilege as it applies to DAC environments.
Real-Life Example
Think about a shared apartment with several roommates. In this apartment, there is a common living room and a locked closet that belongs to one roommate, Sarah. Sarah bought the closet and all the items inside it herself. She can decide who gets a key to the closet and what they can do inside. This is exactly how DAC works.
If Sarah gives her roommate John a key but tells him he can only look at the items and not take anything out, that is like giving read-only permission. If she gives her other roommate a key and says they can borrow anything they want, that is full control. Sarah can also change her mind later. If John misbehaves, she can take back his key or change the lock. The important point is that Sarah, as the owner, has total authority.
Now contrast this with a college dorm where the housing office decides everything. The housing office might say that all rooms in a certain hall are open during study hours, and no occupant can change that rule. That is like MAC. In the apartment analogy, DAC gives Sarah flexibility, but it also depends on her being responsible. If she gives a key to too many people or to someone who loses it, the closet could be stolen from. In IT, this is exactly why DAC is common on workstations but can be risky on servers handling sensitive data. The system relies on the owner's good judgment.
Why This Term Matters
DAC is the default access control model in virtually every desktop operating system and many applications. For IT professionals, understanding DAC is not optional; it is foundational. When you troubleshoot a permission issue in Windows where a user cannot access a shared folder, you are diagnosing a DAC problem. When you configure file shares on a Linux server using chmod and chown, you are applying DAC principles.
From a security perspective, DAC has both strengths and weaknesses. The strength is that it empowers users to manage their own resources, which reduces the workload on system administrators. A user can share a project folder with a teammate without needing to submit a ticket to IT. The weakness is that users often make mistakes. They may grant full control to everyone in the company, or they may not realize that inherited permissions are giving broader access than intended. This is why security auditors often check for excessive DAC permissions. The principle of least privilege must be applied to DAC: each user should only have the minimum permissions needed to do their job.
DAC also plays a role in compliance. Regulations like GDPR and HIPAA require organizations to control access to personal data. If an employee sets a DAC permission that allows all employees to read a sensitive file, that could be a compliance violation. Therefore, IT teams often implement monitoring tools to track DAC changes and alert on risky permissions. Understanding DAC is crucial for anyone pursuing a career in system administration, security analysis, or network engineering.
How It Appears in Exam Questions
DAC appears in multiple question formats across certification exams. The most common is the scenario-based multiple-choice question. For example: "A user creates a spreadsheet and grants read-only access to her team members. Which access control model is being used?" The answer is Discretionary Access Control because the owner set the permissions. Another variation: "An administrator needs to implement a model where users can control access to their own files. Which model should be chosen?" Again, DAC.
Another question type involves comparing models. You might see: "Which of the following is a disadvantage of DAC?" The correct choice is often "It is vulnerable to Trojan horse attacks" because a malicious program can inherit the user's access rights. Or "Which model allows the owner to transfer ownership?" That is also DAC.
Configuration questions are less common but appear in Security+ performance-based questions where you must identify the correct NTFS permissions for a shared folder. Troubleshooting questions may describe a situation where a user cannot access a file even though they were granted permission. The cause might be an explicit deny ACE in the DACL that overrides an allow ACE. Knowledge of how DACL ordering works (deny entries typically evaluated first) is important.
Finally, some questions test your understanding of DAC terminology. For instance: "What is the list of ACEs associated with an object called?" Answer: DACL. Or "In DAC, who can change permissions on an object?" Answer: The owner. These questions are straightforward if you know the definitions. Practice tests will help you get comfortable with the language used.
Practise DAC Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine a small company with three departments: Sales, Marketing, and IT. Sarah works in Sales and creates a document called "Quarterly Sales Targets.xlsx" on the company file server. The file server runs Windows Server and uses DAC with NTFS permissions. Sarah is the owner of the file because she created it. She now has full control.
Sarah wants to share the file with her manager in Sales, but she does not want the IT department to read it because it contains confidential revenue numbers. So she right-clicks the file, goes to Properties, then the Security tab, and edits the permissions. She adds her manager's user account and gives it Read & Execute permission. She also removes the default group "Domain Users" from the ACL so that no one else can access it by default.
Later, the IT administrator receives a help desk ticket: a user in Marketing cannot access a shared folder. But in this case, the Marketing user should not have access anyway. The administrator checks the DACL and sees that Sarah explicitly removed Domain Users. The Marketing user is not explicitly listed, so access is denied. The situation is correct. However, if Sarah had accidentally added the group Everyone with Full Control, that would be a security risk. This scenario shows how DAC puts the owner in charge and how permissions must be managed carefully.
Common Mistakes
Confusing DAC with MAC because both involve access controls.
In DAC the owner decides permissions, while in MAC the system enforces policies regardless of the owner's wishes. They are fundamentally different.
Remember: discretionary means the owner has discretion. If the owner cannot override the rules, it is not DAC.
Thinking that DAC means users can give permissions to anyone without restriction.
While DAC gives the owner flexibility, permissions are still subject to system policies like least privilege or group policies. DAC is not unlimited.
Understand that DAC gives owners control within the boundaries set by the organization's security policies.
Believing that DAC is always less secure than MAC.
DAC can be secure if properly configured with least privilege. MAC is often more secure for high-security environments, but DAC is more practical for general use.
DAC is not inherently insecure; it depends on how permissions are assigned and monitored.
Assuming DAC and RBAC are the same.
DAC is based on identity of the owner and subjects. RBAC is based on roles. In RBAC, permissions are assigned to roles, not to individuals by owners.
Remember: if it is about 'who I am' (owner), it is DAC. If it is about 'what role I have' (e.g., manager), it is RBAC.
Exam Trap — Don't Get Fooled
{"trap":"The question describes a user changing permissions on a file they own. The answer choices include MAC, RBAC, ABAC, and DAC. The learner may choose MAC if they confuse 'mandatory' with 'administrator-controlled'."
,"why_learners_choose_it":"They hear 'access control' and think the system is doing it automatically. They forget that 'discretionary' means owner-driven.","how_to_avoid_it":"Always look for who sets the permissions.
If the owner can set them, it is DAC. If a central policy overrides, it is MAC. Practice with scenarios."
Step-by-Step Breakdown
Object creation
A user (subject) creates a file or folder. The operating system assigns ownership to the creator by default. This is the foundation of DAC.
Setting permissions
The owner modifies the object's DACL. They add or remove ACEs that specify which users or groups have which permissions (read, write, etc.).
Access request
Another user attempts to open or modify the object. The operating system intercepts this request and checks the subject's security token against the object's DACL.
ACE evaluation
The system scans the DACL entries in order. If any entry explicitly denies access, the request is denied immediately. If no deny entry matches, it looks for an allow entry. If found, access is granted.
Access granted or denied
Based on the evaluation, the user either gets access or receives an 'access denied' error. The result is logged if auditing is enabled.
Practical Mini-Lesson
DAC is not just a theoretical concept; it is something IT professionals deal with daily. In a Windows environment, every file, folder, registry key, and printer has a security descriptor that includes a DACL. When a user complains they cannot access a network share, the first step is to check the share permissions and the NTFS permissions. Share permissions are also DAC-based, but they apply at the network level, while NTFS permissions apply locally. The effective permission is the most restrictive combination.
Linux file permissions are also a form of DAC. The chmod command sets read, write, and execute for the owner, group, and others. The owner can change these. However, Linux also has ACLs (via setfacl/getfacl) that provide more granular control, similar to Windows DACLs. Understanding how to set and troubleshoot these permissions is essential for any system administrator.
What can go wrong? The most common issue is over-permissioning. Users often set files to 'Everyone' or 'World' to fix a problem quickly, creating a security hole. Another issue is permission inheritance. In Windows, child objects inherit permissions from their parent by default. If you set restrictive permissions on a parent folder but forget to disable inheritance on a subfolder, the child may inherit less restrictive permissions from elsewhere. Always check effective permissions.
From a security perspective, the biggest risk with DAC is the Trojan horse attack. If a user runs a malicious program, that program runs with the user's DAC rights. It can read, modify, or delete any file the user has access to. This is why running with least privilege is critical. For exams, remember that DAC is vulnerable to this, but MAC would prevent it because the program would have a different security label. Practical takeaway: always run applications with the minimum privileges needed, and use tools like Windows Integrity Control or Linux capabilities to reduce risk.
Memory Tip
DAC = Owner Decides Access Control. The 'D' is for Discretion, the owner's choice.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
What does DAC stand for?
DAC stands for Discretionary Access Control. It is an access control model where the owner of a resource determines who can access it.
Is DAC the same as ACL?
No. ACL (Access Control List) is the mechanism used to implement DAC. DAC is the model, ACL is the tool.
Is DAC more secure than RBAC?
Not necessarily. DAC is flexible but relies on user judgment. RBAC is more centralized and easier to audit. Which is more secure depends on the environment and implementation.
What is the main weakness of DAC?
The main weakness is that it is vulnerable to Trojan horse attacks because a malicious program inherits the user's permissions. Also, users may misconfigure permissions.
In which exams is DAC tested?
DAC appears in CompTIA Security+, ISC2 CC, and ISC2 CISSP. It is a core topic for Identity and Access Management domains.
Can DAC be used in a high-security environment?
It can, but it requires strict auditing and least privilege. For high-security environments, MAC or RBAC is often preferred.
Summary
Discretionary Access Control (DAC) is a fundamental access control model that puts the power of permission assignment in the hands of the resource owner. It is the default model for most personal computers and many business systems, making it essential knowledge for any IT professional. DAC is implemented using Access Control Lists (ACLs) that specify exactly which users or groups can perform which actions on an object.
The flexibility of DAC is both its greatest strength and its greatest weakness. It allows users to collaborate quickly and efficiently, but it also introduces risk if users are not careful with permission settings. Security professionals must understand how DAC differs from other models like MAC, RBAC, and ABAC to answer exam questions correctly and to design secure systems.
For your exams, remember the key phrase: owner discretion. If the owner can set permissions, it is DAC. Be aware of the Trojan horse vulnerability and the importance of least privilege. With this understanding, you will confidently answer scenario-based questions and recognize DAC when you see it in the real world. DAC is not just a concept-it is a daily reality in IT security.