Mandatory Access Control vs Discretionary Access Control [MiniTool Wiki]

  • Linkedin
  • Reddit

Quick Navigation :

Mandatory Access Control Definition

What is mandatory access control? In computer security, mandatory access control (MAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria. Relying on MAC, operating system (OS) or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.

In the case of OS, a subject is usually a process or thread and objects are constructs like files, directories, shared memory segments, ports (TCP or UDP), as well as input/output (I/O) devices. Subjects and objects each have a set of security attributes.

Whenever a subject tries to access an object, an authorization rule enforced by the system kernel will check those security attributes and determine whether to allow the access or not. Any operation by any subject on any object is tested against the set of authorization rules/policy to decide whether the operation can take place or not.

In the case of the database, the mandatory access control can also apply to the database’s access control mechanism. Yet, in a database, the objects are tables, views, procedures, and so on.

Traditionally, mandatory access control has been closely associated with multilevel security (MLS) and specialized military systems. Under such a condition, MAC implies a high degree of rigor to meet the restriction of MLS systems.

However, mandatory access control has deviated out of the MLS niche and become more mainstream. Recent MAC implementations like SELinux and AppArmor for Linux and mandatory integrity control for Windows allow administrators to focus on problems such as malware and cyberattacks without the rigor or constraints of MLS.

the access control entry is corrupt error thumbnail
Solutions to Fix the “Access Control Entry Is Corrupt” Error

According to the reports, many users said the “access control entry is corrupt” error popping up would appear after they click OK to save the changes.

Read More

Discretionary Access Control Definition

What is discretionary access control? In computer security, discretionary access control (DAC) refers to a kind of access control to restrict access to objects. It is based on the identity of subjects or groups or both to which they belong.

The controls are discretionary in the sense that a subject with certain access permission can pass that permission, maybe indirectly, onto any other subject unless restricted by mandatory access control.

Usually, discretionary access control is discussed in contrast to mandatory access control. Casually, a system as a whole is considered as “purely discretionary” or “discretionary” access control as a way of expressing that the system lacks MAC.

On the other hand, systems can be said to adopt both mandatory and discretionary access controls at the same time, where DAC refers to one category of access controls that subjects can transfer among each other whereas MAC refers to a second category of access controls imposing constraints upon the first.

Also read: [Tip] What Is Network Access Control (NAC) & How Does It Work?

Discretionary Access Control vs Mandatory Access Control

What are the differences between discretionary and non-discretionary (mandatory) access control? Continue reading.

1. MAC versus DAC: Permission for Subject Access to Object

With MAC, the security rules are controlled by a security policy administrator centrally. Users don’t have the right to override the policy or grant access to files. Otherwise, access to the files will be restrained.

MAC-enabled systems allow policy administrators to apply organization-wide security policies. Under mandatory access control, users are not able to override or modify this policy, neither intentionally nor accidentally. This enables security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

On the contrary, DAC, which also controls the ability of subjects to access objects, endues users the ability to make policy decisions or assign security attributes.

ps4 cannot access system storage thumbnail
PS4 Cannot Access System Storage? Available Fixes Are Here!

Do you want to get rid of PS4 cannot access system storage issue easily and effectively? Now, we will show you some available solutions in this post.

Read More

2. Mandatory vs Discretionary Access Control Pros and Cons

Mandatory access control advantages and disadvantages

Advantages

Disadvantages

  • Inconvenient for users to access data
  • No automatic scalability
  • Constant attention is needed for management

Advantages and disadvantages of discretionary access control

Advantages

  • Flexible access control policy
  • Convenient for users to access files
  • Easy management

Disadvantages

  • Low security level
  • Inconvenient to find access parameters since no centralized access management
dell data protection thumbnail
[Warning] Dell Data Protection End of Life & Its Alternatives

Are you Dell Data Protection users? If so, you probably know that Dell Data Protection gets its sunset and try to find a replacement like MiniTool ShadowMaker.

Read More

The following is a table comparing discretionary and mandatory access control.

Access control type DAC MAC
Access control enforced by Administrators and users Administrators and OS
Flexibility Yes No
Scalability Yes No
Security level Low High
Maintenance Easy Hard
Implementation cost Low High
Easy to use Yes No
Applied for Small and mid-sized businesses or similar Military, government, law enforcement, etc.
  • Linkedin
  • Reddit