skip to Main Content
913.677.5771
A Look At Discretionary Access Control

A Look at Discretionary Access Control

When it comes to protecting your business, access control is one of the best ways for you to achieve peace of mind as a business owner. Access control is much more than just allowing people to access your building, however. Access control is an effective and selective restriction method of guaranteeing that users who access a system are who they say they are and that they have the appropriate authorization to view company data.

Discretionary Access Control for Your Business

Without access control, there is no data security. In order to effectively protect your company’s data, your access control policy should address a few critical questions.

  • Who should access your company’s data?
  • How do you make sure those who attempt access have actually been granted that access?
  • Under which circumstances do you deny access to a user with access privileges?

While there are various types of access control, in this article we are specifically going to discuss discretionary access control and how it can better help you to monitor who is accessing your facility and the data within your organization.

What is Discretionary Access Control?

Discretionary access control (DAC) is a type of access control that grants/restricts access via an access policy determined by an owner group(s) and is commonly called referred to as a “need-to-know” access model. In a DAC system, users are supplied with credentials during authentication, such as username and passwords, and are typically discretionary because the owner can transfer authenticated access to other users.

DAC is a means of assigning access rights based on specific rules. In other words, the data owner determines access. The least restrictive model compared to other access control methods, Discretionary Access Control (DAC) allows authorized individuals complete control over any objects they own, as well as the programs associated with those objects.

Typical DAC attributes include: users may determine the access type of other users and transfer object ownership to another user(s), after several incorrect attempts, user access is restricted, and unauthorized users are blind to object characteristics (file size, file name, directory path, etc.).

Implementing Discretionary Access Control in Your Organization

In its purest form, discretionary access control is only restricted by the owner’s willingness to practice safe sharing of company data. Discretionary access control is often a good choice for small businesses without an IT staff because it offers simplicity and convenience as it is the least restrictive access control model. DAC allows a handful of users to share information throughout their day, allowing for smooth operation of the business, which is an important thing to keep in mind when considering an access control system.

However, for larger companies with hundreds or thousands of users, discretionary access control has its drawbacks such as lack of complexity, onboarding, and termination controls.

Discretionary access control also gives the end user complete control to set security level settings for other users and data are inherited into other programs they use, which could potentially lead to malware being executed without the end user being aware of it.

Job changes under this access control system can also potentially result in “privilege creep” where the retention of rights and permissions associated with a previous position that may not be appropriate for the new position.

Regardless of the access control approach, you decide on for your company; the objectives remain the same for each: verification of identity, effective authorization, and accountability for all actions taken against sensitive information and critical systems.

For more information about access control and how it can help make your Kansas City business more secure, contact the team at TED Systems today.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top