What Is Discretionary Access Control?
Discretionary access control is a security model where the owner of a resource decides who can access it — and what they can do with it. The owner sets the rules — at their own choice. Specifically, they can grant read, write, or delete rights to any user they choose, and they can change those rules at any time. No central admin is needed.
Here’s a simple way to think of it. When you share a Google Doc and pick who can view or edit it, that’s discretionary access control in action. You — the owner — decide who gets in. You can add people, remove them, or change their access level with a click. The choice is yours, not a central system’s.
Why Discretionary Access Control Matters
Discretionary access control is one of the oldest and most common access models in use. It’s built into every major OS — Windows, Linux, and macOS. Furthermore, it powers file sharing on Google Drive, Dropbox, and SharePoint. And it’s the default model for most small teams and personal devices. Consequently, most users interact with it every day without even knowing it. It’s the model that powers the “share” button on every platform — and the one that most people learn first.
However, what makes it easy also makes it risky. Because the owner controls access — not a central policy — there’s no guarantee that the rules are consistent, reviewed, or secure. That’s why discretionary access control works best for low-risk data and small teams — and why firms that handle sensitive data pair it with stronger models like RBAC, ABAC, or MAC.
Discretionary access control lets the resource owner decide who can access it and what they can do. It’s simple, fast, and built into every OS — but it lacks central oversight, which makes it risky for sensitive data. Most firms pair it with RBAC or MAC for stronger control.
How Discretionary Access Control Works
Essentially, DAC follows a clear flow: the owner creates a resource, sets the rules, and the system enforces them. So here’s how it plays out step by step.
The DAC Access Flow
This flow is fast and simple. As a result, discretionary access control is the default model for most file systems, cloud storage, and collaboration tools. But the trade-off is clear: the owner is the only gatekeeper — and if they make a mistake, there’s no central policy to catch it. That’s why firms that handle sensitive data always pair DAC with a stronger model that adds oversight and audit trails.
Key Parts of DAC
- Access Control List (ACL): The list that stores who can access a resource and at what level (read, write, delete). Every DAC system uses ACLs as the core data structure for managing access.
- Owner: The user who created the resource. The owner has full control — including the right to share, change, or revoke access for anyone else.
- Permissions: The actions a user can take — like read, write, execute, or delete. The owner sets these for each user or group on the ACL.
- Subjects and objects: The subject is the user requesting access. The object is the resource — a file, folder, database, or app. DAC maps subjects to objects through ACLs.
DAC vs MAC vs RBAC
Indeed, discretionary access control is just one model. Here’s how it compares to the other main approaches.
| Feature | DAC (Discretionary) | MAC (Mandatory) | RBAC (Role-Based) |
|---|---|---|---|
| Who Sets Rules? | Resource owner | Central admin / system | Admin assigns roles |
| Flexibility | ✓ High — owner decides | ✕ Low — fixed rules | ◐ Medium — role-based |
| Security Level | ✕ Low — no central control | ✓ High — strict labels | ✓ High — least privilege |
| Scalability | ✕ Hard to scale | ◐ Scales with labels | ✓ Scales well |
| Best For | Small teams, files, personal use | Government, military, classified data | Enterprise, cloud, SaaS |
When to Use DAC — and When Not To
Use discretionary access control for low-risk data, personal files, and small teams where speed and simplicity matter more than strict governance. Don’t use it alone for sensitive data — like health records, financial systems, or classified information. For those, pair it with RBAC for role-based rules, ABAC for context, or MAC for strict, label-based control. In practice, most firms use DAC for everyday files and layer stronger models on top for high-risk systems.
Where Discretionary Access Control Is Used
DAC is everywhere — even if you don’t see it. Here are the most common use cases.
Operating Systems and File Sharing
Windows, Linux, and macOS. In fact, every major OS uses DAC for file and folder access. On Linux, the chmod and chown commands let owners set read, write, and execute rights. In Windows, the security tab on a folder lets you add users and set their access level. Consequently, if you’ve ever changed file sharing settings on your laptop, you’ve used discretionary access control.
Cloud storage. Google Drive, Dropbox, OneDrive, and SharePoint all use DAC. When you share a doc and pick “view only” or “can edit,” that’s DAC. The owner sets the rules, and the platform enforces them. It’s fast and simple — but it’s also easy to over-share by mistake.
Small Teams and Collaboration
Small businesses. Firms with 10-50 users often rely on DAC because it’s built in and needs no extra tools. Similarly, the owner of a project folder can grant access to the team without filing a ticket or waiting for IT. This keeps work moving fast — but it also means there’s no central view of who has access to what. For firms under 50 users, this is often fine. But as the team grows, the lack of oversight turns into a growing blind spot that’s harder to fix over time.
Collaboration platforms. Likewise, Slack channels, Facebook groups, and shared drives all use a form of DAC. The creator or admin of the space decides who can join, post, or view. This works well for casual or low-risk content — but not for data that’s regulated or highly sensitive.
How DAC Fits in the Modern Access Stack
Discretionary access control was built for a simpler time — when most users sat in the same office and shared files on a local drive. But the world has changed. Cloud, SaaS, remote work, and zero trust have raised the bar for how firms manage access. So where does DAC fit today?
DAC as a Base Layer
Most firms still use DAC at the file level — for docs, folders, and shared drives. It’s the fastest way to share a file with a teammate. However, for anything beyond casual sharing, modern IAM tools add RBAC for role-based rules, ABAC for context checks, and MFA for identity proof. The key is to keep DAC for what it does well — quick, low-risk sharing — and layer stronger models on top for the rest.
For instance, a marketing team may use Google Drive with DAC for draft blog posts. But the finance team’s payment data lives in an ERP with RBAC and MFA. And the HR system uses ABAC to check that only users on a managed device, during work hours, can view staff records. Each model covers a different layer — and DAC is the simplest one at the base. The key is not to pick one model over another — but to match the right model to the right data. Low-risk files get DAC. High-risk systems get RBAC, ABAC, or MAC. And the IAM platform ties them all together into one view.
DAC and Compliance
On its own, DAC does not meet the needs of HIPAA, GDPR, PCI DSS, or SOC 2. These frameworks require central policies, audit trails, least privilege, and regular access reviews — none of which DAC provides by default. However, when DAC is paired with IAM, SIEM, and provisioning tools, it can work within a compliant setup. The key rule: never use DAC as the only model for regulated data. Always layer stronger controls on top — and log every access event for proof. The firms that pass audits are the ones that use DAC for speed and ease, but wrap it in RBAC, MFA, and SIEM for the data that matters most.
Common DAC Mistakes
Discretionary access control is simple — but that simplicity can lead to real problems. Here are the most common mistakes.
Sharing and Permission Mistakes
Over-sharing by default. Unfortunately, users often grant “edit” or “full control” when “view only” would be enough. Over time, this leads to privilege creep — where users have far more access than they need. Instead, set the most limited access first and only add more when it’s truly needed.
Forgetting to revoke access. Similarly, when a team member leaves a project or the company, their access should be pulled right away. But in DAC, the owner must do this by hand — and if they forget, the stale access stays open. Automate deprovisioning where you can, and remind owners to review their ACLs on a set schedule.
Governance and Visibility Mistakes
No central oversight. Naturally, in DAC, each owner sets their own rules. There’s no central dashboard, no policy engine, and no audit trail by default. This makes it hard to answer basic questions — like “who has access to our customer data?” — and even harder to prove compliance. So if you use DAC, add monitoring tools that log access events and flag unusual changes.
Using DAC for sensitive data. Above all, DAC should never be the only model protecting health records, financial data, or classified systems. These need RBAC, MAC, or ABAC — with central policies, least privilege, and audit trails. Using DAC alone for regulated data is a compliance risk and a breach waiting to happen.
HIPAA, GDPR, PCI DSS, and SOC 2 all require central access controls, audit trails, and least privilege. Discretionary access control doesn’t provide these on its own. If you handle regulated data, layer RBAC, ABAC, or MAC on top — and log every access event for compliance.
Pros and Cons of Discretionary Access Control
Ultimately, DAC is the simplest model — but simplicity has a cost. Here’s the trade-off.
Discretionary Access Control Best Practices
Here are the discretionary access control best practices that help you use the model safely.
First, set the most limited access by default. Don’t give “edit” or “full control” unless the user truly needs it. Start with “view only” and add more access only when asked. Because least privilege is the simplest way to cut risk in a DAC setup — and it costs nothing to enforce.
Then, review ACLs on a set schedule. Ask owners to check their access lists at least once a quarter. Remove users who no longer need access. And flag any resource that has more than 10 users on its ACL — because a large list is a sign of over-sharing.
Add Layers and Oversight
Pair DAC with RBAC or MAC for sensitive data. Use DAC for everyday files and low-risk content. But for health records, financial data, or admin systems, layer RBAC or MAC on top. This gives you central control where it matters most — without losing the speed and ease of DAC for routine work.
Also, log all access events. Use tools that track who accessed what, when, and from where. Feed these logs into your SIEM or IAM platform. Consequently, you get the audit trail that DAC doesn’t provide on its own — and the data you need for compliance, investigation, and reporting. Without logs, you can’t prove who did what — and you can’t catch threats after the fact.
Finally, train your users. Ultimately, most DAC risks come from human error — over-sharing, stale access, or weak passwords. So teach users how to set the right access level, when to revoke it, and why it matters. Run a short training once a year. And send a reminder each quarter when access reviews are due. Because in DAC, every owner is a gatekeeper — and a well-trained gatekeeper is the best defense you have.
Set most limited access by default. Review ACLs quarterly. Revoke access when users leave or change roles. Pair with RBAC or MAC for sensitive data. Log all access events and feed to your SIEM. Train users on safe sharing. Use authentication and MFA for all accounts. Automate deprovisioning where possible. Align with NIST, HIPAA, GDPR, and zero trust for regulated systems.
Frequently Asked Questions About DAC
More Common Questions About DAC
More Common Questions
DAC and Modern Security Models
Conclusion: Why Discretionary Access Control Still Matters
In short, discretionary access control is the simplest and most common access model in use today. It lets resource owners set the rules — fast, with no admin overhead. It’s built into every OS, cloud drive, and collaboration tool. And for low-risk files and small teams, it works well.
However, DAC is not built for sensitive data, compliance, or scale. It lacks central control, audit trails, and least privilege. So use it where it fits — and pair it with RBAC, MAC, or ABAC where security matters most.
Start now. First, review every ACL on your most sensitive resources. Then set the most limited access as the default. Next, train users on safe sharing and revocation. After that, add RBAC or MAC for regulated systems. Finally, log all access events and feed them to your SIEM. Because discretionary access control is a good tool — but only when it’s used for the right job and paired with the right controls. The firms that use it wisely are the ones that know its limits — and build around them.
References
- NIST — CSRC Security Glossary
- Built In — Built In Security Guide
- One Identity — One Identity Learning Center
Join 1 million+ technology professionals. Weekly digest of new terms, threat intelligence, and architecture decisions.