Discretionary and Non-Discretionary Access Control Policies

Access Control Policies, Mechanisms, and Models
Access Control Policies, Mechanisms, and Models

Access control policies drive the implementation of access control mechanisms (safeguards) to mitigate risks.

Logical and Physical Access Control

Access control is “the process of granting or denying specific requests:
1) for obtaining and using information and related information processing services; and
2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).”

Source: FIPS 201-2

Access Control Policy

Access Control Policy is “high-level requirements that specify how access is managed and who may access information under what circumstances.”

Source: NIST SP 800-192

Access Control Mechanism

Access control mechanism refers to:
1) “Implementations of formal AC policy such as AC model.” (NIST SP 800-192)
2) “Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information.”

Source: CNSSI 4009-2015

Discretionary Access Control (DAC)

  • Discretion refers to “the freedom to decide what should be done in a particular situation.” (Google Dictionary)
  • “DAC leaves a certain amount of access control to the discretion of the object’s owner or anyone else who is authorized to control the object’s access.” (NIST IR 7316)
  • Discretionary Access Control (DAC) is “an access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following:
    (i) pass the information to other subjects or objects;
    (ii) grant its privileges to other subjects;
    (iii) change security attributes on subjects, objects, information systems, or system components;
    (iv) choose the security attributes to be associated with newly-created or revised objects; or
    (v) change the rules governing access control. Mandatory access controls restrict this capability.”

Non-Discretionary Access Control (NDAC)

In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC).

Source: NIST IR 7316

The following are excerpts from NIST IR 7316:

  • Mandatory access control (MAC) policy means that access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights.” MAC is just one of the many forms of NDAC, so the central authority is not the critical criteria to distinguish DAC from NDAC.
  • “Although RBAC is technically a form of non-discretionary access control, recent computer security texts often list RBAC as one of the three primary access control policies (the others are DAC and MAC).”
  • Temporal constraints are formal statements of access policies that involve time-based restrictions on access to resources; they are required in several application scenarios. Popular access control policies related to temporal constraints are the history-based access control policies.” The Brewer and Nash model (Chinese Wall) is history-based.

Reply to Lorenzo Leonelli‘s comment on LinkedIn

The taxonomy of access control is challenging because the distinction between access control “policies” and access control “mechanisms” is often ignored. My diagram in this post doesn’t strictly distinguish the two either. DAC and NDAC (MAC, RBAC, TBAC) are access control policies, while rule-based and attributes-based access controls are access control mechanisms, but I mixed them in the diagram.

The rule-based access control mechanism can support both DAC and NDAC policies. The DAC policy is often implemented by identity-based mechanisms, e.g., the object’s ACL and the subject’s capability list/table. MAC can be rule-based, lattice-based, or based on other mechanisms. RBAC is quite interesting; NIST IR 7316 introduces it in both the policy and mechanism sections.


Leave a Reply