Mandatory Access Control vs. Discretionary Access Control: Which to Choose?

Strong access controls are vital for protecting sensitive data and preventing cyberattacks against your organization. However, choosing the right access management model requires thorough consideration. This post breaks down mandatory access control (MAC) and discretionary access control (DAC) with insights into how they differ and when to use each.

Key takeaways:

• Choosing mandatory access control vs. discretionary access control ultimately depends on your organization’s priorities.
• MAC is used primarily by government organizations, militaries, and law enforcement, while DAC is a good choice for small businesses with limited IT staff and cybersecurity budgets.
• The best strategy is to choose a hybrid model, using strict MAC for sensitive data and DAC for less critical resources where flexibility is important.
• Syteca PAM secures privileged access with just-in-time access provisioning, strong authentication, password management, account discovery, and session monitoring.

Access control models: why are they important?

Access control regulates which users, applications, and devices can view, edit, add, or delete resources within an organization’s environment. Controlling access is one of the key practices for protecting sensitive data from theft, misuse, abuse, and other threats. There are two levels of access control: physical and logical.

Access control helps mitigate both internal and external threats. That’s why IT regulations, laws, and standards, such as NIST, HIPAA, PCI DSS, and others, enforce strict physical and logical access controls. In this article, we discuss models of logical access control.

You can choose from several logical access control models, including mandatory, discretionary, role-based, and attribute-based. Each model has its pros and cons. Later in this article, we’ll review the pros and cons of MAC and DAC. For more on this topic, see our article about the pros and cons of role-based access control and attribute-based access control models.

The process of selecting one of these models differs from organization to organization. The choice of model depends on:

• The nature of the protected data
• IT requirements and industry standards
• The number of employees
• The cybersecurity budget

Let’s compare MAC vs. DAC models to better understand the real differences between them.

Managing Insider Threats with Syteca

What is mandatory access control?

Mandatory access control (MAC) is a model of access control in which an operating system grants access based on data confidentiality and user clearance levels. In this model, access is granted on a need-to-know basis: users must prove their need for information before gaining access.

MAC is also called a non-discretionary access control model, meaning that access isn’t granted at the discretion of the user or file owner. The MAC model’s control mechanisms enable organizations to implement zero-trust principles.

In comparing DAC vs. MAC, MAC is typically considered the most secure of the two access control models. Access rules in this model are manually defined by system administrators and strictly enforced by the operating system or security kernel. Regular users can’t alter security attributes, even for data they created.

What are the basic principles of MAC?

1. The utmost privacy and confidentiality of the organization’s resources are paramount. No one has default privileges to access or edit someone’s data.
2. Access provisioning is centrally administered.
3. Each individual and resource in the system has security labels with their classification and category.

With MAC, the process of gaining access looks like this:

• The administrator configures access policies and defines security attributes like confidentiality levels and clearances for accessing different projects and resource types.
• The administrator assigns a set of attributes to each subject (a user or service that accesses data) and object (a file, database, port, etc.).
• When a subject attempts to access an object, the operating system examines the subject’s security attributes and decides whether access can be granted.
• To obtain access to the object, the user provides their credentials.

In addition to checking confidentiality and clearance levels (classification matches), operating systems also check category matches between subject and object. Having a “top secret” clearance doesn’t automatically grant access to a file if the user isn’t part of the required category.

Let’s take a look at a real-world example of MAC implementation. Suppose an organization possesses data with a “top secret” confidentiality level and an “engineering project” security label. This data is available only to the set of users with both a “top secret” security clearance (classification) and authorization to access engineering documents (category). These users can also access information that requires a lower level of clearance. At the same time, employees with lower clearance levels or no rights to access engineering documents can’t access such information.

MAC offers many benefits to cybersecurity systems, but it also has several disadvantages. Let’s look at the advantages and disadvantages of mandatory access control.

When to use MAC: Real-world use cases

This access control model is used mainly by government organizations, militaries, and law enforcement institutions. The US government uses MAC to secure classified information and to support multilevel security policies and applications. To improve data protection and compliance in the insurance industry and the banking sphere, organizations use MAC to control access to customer account data. MAC can be used to manage access to databases and their objects, like procedures, tables, and views.

It’s reasonable to use MAC in organizations that value data security over operational flexibility and cost. Implementing MAC in corporate environments is rare because of its complexity and inflexibility.

A MAC-only model provides a high level of granular security. On the other hand, it’s difficult to set up and maintain. That’s why it’s common to combine MAC with other access control models.

For example, combining it with a role-based access model speeds up user profile configuration. Instead of defining access rights for each user, an administrator can create user roles. Each organization has users with similar roles and access rights, such as employees with the same job position or third-party vendors. An administrator can configure roles for these groups instead of configuring individual user profiles from scratch each time.

Another popular combination is MAC and the discretionary access control model, or DAC. 

What is discretionary access control?

Discretionary access control is an identity-based access control model that gives users some control over their data. Data owners (document creators or users authorized to control data) can define access permissions for specific users or groups. In other words, the resource owner can decide who gets access and what they can do at their own discretion.

Access permissions for each piece of data are stored in an access-control list (ACL). An administrator creates this list when a user grants access to somebody. The list can be generated automatically. An ACL includes users and groups that may access data, along with their access levels. A system administrator can also enforce an ACL. In this case, the ACL acts as a security policy, and regular users can’t edit or overrule it.

What are the basic principles of DAC?

1. Object characteristics (size, name, directory path) are invisible to users who aren’t authorized.
2. Multiple failed access attempts trigger additional authentication (MFA) requirements or deny access.
3. Users can transfer object ownership to other users. The owner also determines the access type of other users. Based on these access privileges, the operating system decides whether to grant access to a file.

Gaining access to a file with DAC works like this:

• User 1 creates a file and becomes its owner, or obtains access rights to an existing file.
• User 2 requests access to the file. They provide their credentials: username, password, or something else.
• User 1 grants access at their discretion. However, User 1 can’t grant access rights that exceed their own. For example, if User 1 can only read a document, they can’t allow User 2 to edit it.
• If User 1’s decision is consistent with the ACL set by the administrator, access is granted.

Discretionary access control is widely used because it gives users flexibility without adding much administrative burden. However, it comes with considerable limitations.

When to use DAC: Real-world use cases

DAC shouldn’t be used by organizations that work with extremely sensitive data (medical, financial, military, etc.) for several reasons:

• If User 1 shares access rights with User 2, there’s no guarantee that User 2 needs this access for their work, won’t steal or corrupt data, and won’t grant access to a malicious user.
• Information flows within the network are hard to fully control and monitor.
• Consistently applying least privilege, need-to-know, and separation of duties principles can be complex or impossible.

At the same time, DAC is a solid choice for small businesses with limited IT staff and cybersecurity budgets. It enables information sharing and ensures smooth business operations. When applied in an organization with 10–20 employees, DAC presents less complexity and oversight challenges than when used in organizations with hundreds or thousands of employees.

MAC vs. DAC: Comparison table

Below, we review the key characteristics of both models to help you easily grasp the differences between DAC and MAC.

This comparison of DAC vs. MAC access control models demonstrates that they differ in almost every respect and suit different kinds of organizations. DAC works well for organizations that require flexibility and user-friendly workflows. On the other hand, MAC is better suited for organizations that handle highly sensitive data.

Managing Privileged Access with Syteca

Implement flexible and auditable access management with Syteca

In comparing DAC and MAC, we can clearly see that they fall on opposite ends of the access control spectrum. MAC is controlled by administrators and requires lots of time and effort to maintain, but it provides a higher level of security. DAC is much easier to implement and maintain, as users can manage access to their own data. However, DAC is less effective at protecting sensitive records.

When it comes to opting for mandatory vs. discretionary access control, many organizations find they need aspects of both access control models. The flexibility, scalability, and simplicity of DAC are important for creating simple, uninterrupted workflows. At the same time, organizations might need the high level of security and granularity offered by the MAC model.

Syteca is a next-gen privileged access management (PAM) platform with built-in identity threat detection and response (ITDR) that offers a wide range of capabilities for security and flexibility of access governance including:

• Privileged account discovery. Detect unmanaged privileged accounts across your IT environment to reduce blind spots.
• Endpoint access management. Enable secure access to your organization’s endpoints, restricting permissions to only what is necessary, when it is necessary.
• Agentless remote access. Provide secure, browser-based access to your systems, reducing deployment complexity while maintaining full control over connections.
• Access request and approval workflows. Enable your admins to manually approve user access requests to protect your highly sensitive assets.
• Two-factor authentication. Validate user identities through one-time passcodes before granting them access to internal resources.
• Secondary authentication. Require users to complete additional verification after logging in to distinguish their activity on shared accounts.
• Password management. Automate password provisioning and rotation, and enable employees to create and share secrets safely.
• Privileged session management. Monitor and record privileged user sessions to ensure users handle your sensitive data securely. 
• Notifications on suspicious activity. Get instant notifications about abnormal user activity across your endpoints to identify risks before they escalate.
• Automated incident response. Immediately contain threats and enforce security actions via rule-based responses.

Syteca is easy to deploy and seamlessly integrates with your existing infrastructure, helping you enhance access control without disrupting operations.

If you’re looking for an easy-to-manage system to protect your organization against modern threats, Syteca can support you every step of the way.