DAC vs MAC: Mastering CISSP Access Control Models
Discretionary Access Control (DAC) allows resource owners to manage permissions, offering high flexibility but lower security. Mandatory Access Control (MAC) uses system-enforced labels and security clearances for strict, non-discretionary access. While DAC is common in commercial OSs, MAC is essential for high-security environments where data confidentiality is paramount.
What exactly is Discretionary Access Control (DAC)?
In the world of the CISSP, you'll encounter Discretionary Access Control (DAC) as the most flexible—and often most vulnerable—model. The core idea here is that the 'owner' of the data has the discretion to decide who gets access. If you create a folder on your Windows laptop and share it with a colleague, you are practicing DAC. You are the owner, and you're granting permissions based on your own judgment.
While this flexibility is great for productivity, it's a nightmare for strict security auditing. The biggest risk with DAC is 'permission creep,' where users accumulate access rights over time that they no longer need. From an exam perspective, remember that DAC relies heavily on Access Control Lists (ACLs). Because permissions are managed by users rather than a central authority, it is the model most susceptible to Trojan horses, as a malicious program can inherit the owner's permissions to modify files.
Why is Mandatory Access Control (MAC) so much more rigid?
Mandatory Access Control (MAC) is the polar opposite of DAC. Here, the system—not the owner—determines who gets access based on security labels. Think of this as the 'military grade' approach. In a MAC environment, every object (file, database, device) has a classification label (e.g., Secret, Top Secret), and every subject (user, process) has a clearance level. Access is granted only if the subject's clearance matches or exceeds the object's label.
This rigidity is intentional. MAC is designed to prevent the unauthorized leakage of information, making it the gold standard for high-security government and defense installations. You'll often see MAC discussed alongside the Bell-LaPadula model, which focuses on confidentiality (no read up, no write down). In a MAC system, even the creator of a file cannot grant access to another user; only the security administrator can change the system-enforced policy.
How do DAC and MAC differ in administrative overhead?
When you're analyzing these for the CISSP exam, consider the trade-off between agility and control. DAC has very low initial administrative overhead because the central IT team doesn't have to manage every single file permission—they leave that to the users. However, the long-term overhead is high because auditing thousands of individual ACLs across a network is nearly impossible.
MAC, conversely, requires massive upfront effort. You have to classify every single piece of data and vet every single user for a clearance level before the system even goes live. Once it's running, however, the overhead is predictable because the rules are global and systemic. If you're asked which model is more scalable for a highly regulated environment, MAC is your answer, despite the grueling initial setup. It ensures that the principle of least privilege is enforced by the kernel, not by a distracted employee.
Where does Role-Based Access Control (RBAC) fit in?
If DAC is too loose and MAC is too tight, Role-Based Access Control (RBAC) is the professional middle ground. Instead of assigning permissions to individual users (DAC) or labels (MAC), RBAC assigns permissions to 'roles'—like 'HR Manager' or 'Network Engineer.' You then assign users to those roles. This is the most common model used in modern enterprises because it aligns perfectly with organizational structure.
For your studies, think of RBAC as a non-discretionary model. The user doesn't decide who gets access, but the system isn't using military-style labels either. RBAC significantly reduces administrative overhead compared to DAC because when an employee changes jobs, you simply change their role rather than hunting down every single file they had access to. It provides a structured way to implement the principle of least privilege without the extreme rigidity of a MAC environment.
Which model provides the strongest security posture?
The answer depends entirely on your security goals. If your primary goal is absolute confidentiality and preventing data exfiltration (the 'Top Secret' scenario), MAC provides the strongest posture. Its system-enforced nature removes the 'human element' of error or malice from the permission process. There is no way for a user to accidentally share a sensitive file with the wrong person because the system will block it regardless of the user's intent.
However, for a standard business, a combination of RBAC and DAC is often more practical. While MAC is the most secure, it can stifle collaboration and slow down operations to a crawl. In a CISSP scenario, if the question mentions 'government,' 'military,' or 'high-security labels,' lean toward MAC. If it mentions 'flexibility,' 'user-managed,' or 'commercial OS,' it's DAC. Understanding this nuance is key to picking the right answer among four very similar-looking options.
How can you master these concepts for the CISSP exam?
Understanding the theory of access control is one thing; applying it to complex, situational exam questions is another. The CISSP exam doesn't just ask you to define DAC; it asks you to choose the best model for a hypothetical company with specific constraints. This is where most candidates struggle—they know the definitions, but they can't apply the logic.
To bridge this gap, we recommend rigorous practice. At Cert Sensei, we provide 1,000 expert-curated ISC2 CISSP practice questions that mirror the actual exam's difficulty. Instead of just giving you a correct answer, we provide detailed expert reasoning for every single response, helping you understand the 'why' behind the 'what.' Plus, our domain-level analytics allow you to see exactly where you're weak—whether it's Access Control or Security Operations—so you can stop wasting time on what you already know and focus on the gaps.
❓ Frequently Asked Questions
Can a single operating system use both DAC and MAC?
Yes. A prime example is SELinux (Security-Enhanced Linux). Linux natively uses DAC (owner/group/others), but SELinux adds a MAC layer on top. Even if a user grants permission via DAC, the SELinux MAC policy can still block the access if the security labels don't match.
Is RBAC considered a form of Mandatory Access Control?
Not exactly. While RBAC is 'non-discretionary' (the user doesn't choose permissions), it lacks the label-based classification and clearance requirements that define MAC. RBAC is based on job function, whereas MAC is based on data sensitivity and trust levels.
Which access control model is most vulnerable to a Trojan horse?
DAC is the most vulnerable. Because DAC permissions are tied to the user's identity, any malicious software running under that user's account inherits all of their permissions, allowing the Trojan to read, modify, or delete any file the user owns.