This library created by MiniTool Tech introduces two types of computer security access controls to you, mandatory access control and discretionary access control. It also provides a complete comparison of the two access controls.
Mandatory Access Control Definition
What is mandatory access control? In computer security, mandatory access control (MAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria. Relying on MAC, operating system (OS) or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.
In the case of OS, a subject is usually a process or thread and objects are constructs like files, directories, shared memory segments, ports (TCP or UDP), as well as input/output (I/O) devices. Subjects and objects each have a set of security attributes.
Whenever a subject tries to access an object, an authorization rule enforced by the system kernel will check those security attributes and determine whether to allow the access or not. Any operation by any subject on any object is tested against the set of authorization rules/policy to decide whether the operation can take place or not.
In the case of the database, the mandatory access control can also apply to the database’s access control mechanism. Yet, in a database, the objects are tables, views, procedures, and so on.
Traditionally, mandatory access control has been closely associated with multilevel security (MLS) and specialized military systems. Under such a condition, MAC implies a high degree of rigor to meet the restriction of MLS systems.
However, mandatory access control has deviated out of the MLS niche and become more mainstream. Recent MAC implementations like SELinux and AppArmor for Linux and mandatory integrity control for Windows allow administrators to focus on problems such as malware and cyberattacks without the rigor or constraints of MLS.
Discretionary Access Control Definition
What is discretionary access control? In computer security, discretionary access control (DAC) refers to a kind of access control to restrict access to objects. It is based on the identity of subjects or groups or both to which they belong.
The controls are discretionary in the sense that a subject with certain access permission can pass that permission, maybe indirectly, onto any other subject unless restricted by mandatory access control.
Usually, discretionary access control is discussed in contrast to mandatory access control. Casually, a system as a whole is considered as “purely discretionary” or “discretionary” access control as a way of expressing that the system lacks MAC.
On the other hand, systems can be said to adopt both mandatory and discretionary access controls at the same time, where DAC refers to one category of access controls that subjects can transfer among each other whereas MAC refers to a second category of access controls imposing constraints upon the first.
Discretionary Access Control vs Mandatory Access Control
What are the differences between discretionary and non-discretionary (mandatory) access control? Continue reading.
1. MAC versus DAC: Permission for Subject Access to Object
With MAC, the security rules are controlled by a security policy administrator centrally. Users don’t have the right to override the policy or grant access to files. Otherwise, access to the files will be restrained.
MAC-enabled systems allow policy administrators to apply organization-wide security policies. Under mandatory access control, users are not able to override or modify this policy, neither intentionally nor accidentally. This enables security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.
On the contrary, DAC, which also controls the ability of subjects to access objects, endues users the ability to make policy decisions or assign security attributes.
2. Mandatory vs Discretionary Access Control Pros and Cons
Mandatory access control advantages and disadvantages
Advantages
- High-level data protection
- User access rights and object access parameters are manually set up by an administrator
- Good defense against malware and virus
Disadvantages
- Inconvenient for users to access data
- No automatic scalability
- Constant attention is needed for management
Advantages and disadvantages of discretionary access control
Advantages
- Flexible access control policy
- Convenient for users to access files
- Easy management
Disadvantages
- Low security level
- Inconvenient to find access parameters since no centralized access management
![[Warning] Dell Data Protection End of Life & Its Alternatives](https://images.minitool.com/minitool.com/images/uploads/2021/03/dell-data-protection-thumbnail.jpg)
The following is a table comparing discretionary and mandatory access control.
| Access control type | DAC | MAC |
| Access control enforced by | Administrators and users | Administrators and OS |
| Flexibility | Yes | No |
| Scalability | Yes | No |
| Security level | Low | High |
| Maintenance | Easy | Hard |
| Implementation cost | Low | High |
| Easy to use | Yes | No |
| Applied for | Small and mid-sized businesses or similar | Military, government, law enforcement, etc. |
About The Author
Position: Columnist
Helen Graduated from university in 2014 and started working as a tech editor in the same year. Her articles focus on video creation, editing, and conversion. She also has a good knowledge of disk management and data backup & recovery. Through an in-depth exploration of computer technology, Helen has successfully helped thousands of users solve their annoying problems.