In which access control model does the owner of a resource have full discretion over who can access it and with what permissions?
DAC allows data owners to grant or deny access based on their discretion, making it the correct model.
Why this answer
Discretionary Access Control (DAC) is the model where the resource owner has full authority to grant or deny access to other subjects and to set the permissions (e.g., read, write, execute) on the object. This is typically implemented through Access Control Lists (ACLs) on files or objects, as seen in Windows NTFS or Linux file permissions, where the owner can change permissions using commands like `chmod` or through GUI properties.
Exam trap
The trap here is that candidates often confuse DAC with RBAC because both involve user-based permissions, but the key distinction is that DAC gives the resource owner full discretion, whereas RBAC enforces access based on organizational roles, not individual owner decisions.
How to eliminate wrong answers
Option A (ABAC) is wrong because ABAC evaluates access based on attributes of the subject, object, and environment (e.g., time of day, location) using policy rules, not by owner discretion. Option C (RBAC) is wrong because RBAC assigns permissions based on predefined roles within an organization, and the owner does not have full discretion; access is determined by role membership, not individual owner decisions. Option D (MAC) is wrong because MAC enforces access decisions based on system-wide security labels (e.g., classification levels like Top Secret) and the owner cannot override these; labels are set by the system or security administrator, not the resource owner.