In IT security, controlling who can access specific data or resources is essential. Two of the most widely used access control models are Discretionary Access Control (DAC) and Mandatory Access Control (MAC).
- Access control decides who can access what and how.
- DAC gives control to the data owner, while MAC uses strict system-enforced rules.
- DAC is flexible but less secure; MAC is rigid but highly secure.
- Choosing the right model depends on security needs and environmental sensitivity.
What is DAC?
Discretionary Access Control (DAC) allows the owner of a resource to decide who can access it.
- Identity-based access (username/password).
- Resource owners control permissions.
- Access can be easily shared or transferred.
- More flexible but less secure.
Example:
Like on Instagram if you post a story and tag someone, they can repost it to their followers. You (the owner) decide who gets access. That is DAC.
What is MAC?
Mandatory Access Control (MAC) enforces access based on strict security policies set by the system or administrator.
- Controlled by the system, not the user.
- Based on user clearance and security levels.
- Rules cannot be modified by regular users.
- Highly secure, used in sensitive environments.
Example:
Posting a story to “Close Friends.” Only the selected group can view it, and no one can repost it. Instagram controls that rule not you. That is MAC.
Differences Between DAC and MAC
DAC offers ease and flexibility for general use, while MAC ensures strict, high-security environments like military and government systems.
| DAC (Discretionary Access Control) | MAC (Mandatory Access Control) |
|---|---|
| Owner decides who can access resources. | System/admin strictly controls access. |
| Permissions can be shared or transferred by users. | Permissions cannot be changed or shared by users. |
| More flexible and easy to manage. | Very strict with rigid policies. |
| Lower security; depends on user judgment. | High security; enforced by system-level rules. |
| Suitable for everyday/commercial environments. | Used in military, govt., and high-security areas. |
| Based on user identity (username/password). | Based on security levels and clearances. |
| Vulnerable to misuse or malware spreading. | Prevents unauthorized access and data leakage. |
| Simple to implement and cost-effective. | Complex to implement and maintain. |