Discretionary Access Control
– In discretionary access control(DCA), owner of resource decides how it can be shared
– Owner can choose to give read or write access to other users
Discretionary Access Control
Two problems with DAC:
You cannot control if someone you share a file with will no further share the data contained in it
Cannot control “information flow”
In many organizations, a user does not get to decide how certain type of data can be shared
Typically the employer may mandate how to share various types of sensitive data
Mandatory Access Control(MAC) helps address these problems
Mandatory Access Control(MAC) Models
User works in a company and the company decides how data should be shared
Hospital owns patient records and limits their sharing
Regulatory requirements may limit sharing
HIPAA for health information
Military and intelligence agencies:
Data has associated classification level and users are cleared at various levels
– top secret, secret, confidential etc.
– Limits on who can access data at a certain level
User cleared only at secret level should not be able to access top secret data
– Also called multilevel security(MLS)
