discretionary access control (DAC)

1. [A] means of restricting access to objects based on the identity and need-to-know of users and/or groups to which the object belongs. Controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject. Synonym surrogate access. [INFOSEC-99].2.Access control based on access rights granted by users other than the System Security Officer [CESG].Note: [1] Normally enforced by reference to the identity of users and the groups to which they belong.[2] A subject with an access right may pass it to another subject, unless a. prevented by Mandatory Access Control or b. constrained from so doing by an explicit System Security Policy (perhaps backed up by audit).3.A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control) [TCSEC].4.A means of restricting access to objects. The restrictions are discretionary in the sense that the subjects granted/denied access, and the type of access granted/denied, are at the discretion of the object owner. In many systems, the controls are also discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject [POSIX.6].