In Non-Discretionary Access Control, who determines access rights?

In Non-Discretionary Access Control (NDAC), access rights are determined by a central authority based on established policies rather than the discretion of individual users. This approach emphasizes the importance of a structured and consistent method for managing access, which is vital for maintaining security in environments where sensitive data and resources must be protected.

The role of the central authority is crucial because it typically involves the implementation of organizational policies regarding access control. These policies might be based on the principle of least privilege, job roles, or organizational requirements, ensuring that users receive access rights that align with their responsibilities while minimizing the potential for unauthorized access.

This method contrasts with Discretionary Access Control, where the resource owner has the power to grant or revoke access rights. In NDAC, by delegating the control of access rights to a central authority, organizations can more effectively manage and audit who has access to what resources, thereby increasing overall security and compliance with regulations. Automated systems may support the implementation of these controls but are typically guided by the central authority and established policies rather than deciding access independently.