Quiz Entry - updated: 2026.07.14
What is the difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?
DAC: each resource has an owner who can grant or revoke access. MAC: a central authority hands out access rights — owners don't get a say.
| DAC (Discretionary) | MAC (Mandatory) | |
|---|---|---|
| Decision-maker | The resource owner | A central authority / policy |
| Flexibility | High — owners decide ad-hoc | Low — policy-driven |
| Classic example | UNIX file system (chmod) |
Employee badges granting building zones; classified-document systems |
| Where it's used | General-purpose OSes, file shares, most apps | Military, intelligence, classified networks, badge-controlled buildings |
Why both exist:
- DAC is convenient: I made the file, I should decide who reads it. Works for most everyday business contexts.
- MAC is needed where the owner isn't trusted to make security decisions — e.g. an intelligence analyst can't be allowed to share a classified report with their friend, even if they "own" the document by writing it.
Trade-off: DAC's flexibility is also its weakness — if a malicious owner grants the wrong people access, the system has no way to stop them. MAC's rigidity is also its security — there's no path for an individual to leak data through their own decision.
Tip: SELinux, AppArmor, and Windows MIC (Mandatory Integrity Control) are MAC overlays on top of mostly-DAC OSes — they enforce a policy on top of whatever the file owner says.