Discretionary Access Control (DAC) is an access control model where the owner of a resource decides who can access it and what they can do with it. Standard file system permissions on Windows and Unix/Linux systems implement DAC — the file owner sets permissions and can grant them to other users.
DAC is flexible and administratively simple, but it creates security challenges. Owners may grant overly broad access, permissions may not be consistently applied, and there is no central oversight of access decisions. In environments requiring strict information control, DAC alone is insufficient.
CISSP Relevance
DAC is covered in Domain 5 (Identity and Access Management) as a fundamental access control model. CISSP candidates must understand DAC alongside MAC and RBAC, including the security strengths and weaknesses of each model and the types of environments where each is appropriate.
External reference: NIST Glossary Discretionary Access Control
Related terms: Mandatory Access Control, Role-Based Access Control