LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?

DAC: each resource has an owner who can grant or revoke access. MAC: a central authority hands out access rights — owners don't get a say.

DAC (Discretionary) MAC (Mandatory)
Decision-maker The resource owner A central authority / policy
Flexibility High — owners decide ad-hoc Low — policy-driven
Classic example UNIX file system (chmod) Employee badges granting building zones; classified-document systems
Where it's used General-purpose OSes, file shares, most apps Military, intelligence, classified networks, badge-controlled buildings

Why both exist:

  • DAC is convenient: I made the file, I should decide who reads it. Works for most everyday business contexts.
  • MAC is needed where the owner isn't trusted to make security decisions — e.g. an intelligence analyst can't be allowed to share a classified report with their friend, even if they "own" the document by writing it.

Trade-off: DAC's flexibility is also its weakness — if a malicious owner grants the wrong people access, the system has no way to stop them. MAC's rigidity is also its security — there's no path for an individual to leak data through their own decision.

Tip: SELinux, AppArmor, and Windows MIC (Mandatory Integrity Control) are MAC overlays on top of mostly-DAC OSes — they enforce a policy on top of whatever the file owner says.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026