Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.1  Access Control

Previous Topic/Section
1.1.1  Mandatory Access Control (MAC)
Previous Page
Pages in Current Topic/Section
1
Next Page
1.1.3  Role-Based Access Control (RBAC)
Next Topic/Section

1.1.2  Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is based on the user’s identity and the access control rules in effect on the system. DAC is the type of access control most commonly found in the PC and network computing worlds. NT/Windows 2000, Linux and UNIX for the most part use DAC. While MAC restricts the copying of data, DAC does not. Instead, DAC leaves decisions like, “to copy or not to copy,” up to the user’s discretion. If you have read access on a DAC-based system, you can copy the data (via copy/paste) if you wish. On MAC-based systems, which contain special safeguards to prevent copying of sensitive data, which cannot happen. Why might this be important? If you were permitted to copy the data as well as view it, you could potentially store it in a separate file you control, and set up your own list of users allowed to access it – including users not permitted access to the original file, in violation of the mandatory access control on the data.

One DAC model is owner-based DAC, in which the owner controls access to resources they own. For example, the user can grant or deny access to others, and define exactly what types of access (such as read or write) are permitted.

DAC usually involves an Access Control List (ACL) on each system object (file, device, etc.), which specifies which users can have access to that object, and what type of access (such as read, write or execute) they can have. ACLs offer no protection against malicious programs like Trojan horses which typically run with the logged-in user’s permissions. If a user runs a Trojan horse, virus, etc., these programs can access whatever objects that user is permitted to access. (Refer to 1.5.2)

An alternative to ACLs is to use capability lists for each system user, specifying what resources the user is permitted to access, and the types of access permitted. (Note that the difference is that an ACL is assigned to an object, and a capability list is assigned to a user).

DAC

DAC models include owner-based, access matrix, centralized, decentralized or distributed. DAC is often implemented via ACLs. An ACL specifies the types of access different users can have to an object. ACLs are not a defense against Trojan horse programs.



Previous Topic/Section
1.1.1  Mandatory Access Control (MAC)
Previous Page
Pages in Current Topic/Section
1
Next Page
1.1.3  Role-Based Access Control (RBAC)
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.