Who ultimately decides access permissions in a Discretionary Access Control (DAC) system?

In a Discretionary Access Control (DAC) system, the ultimate authority to decide access permissions resides with the system owners. This approach allows owners of data or resources to control who has access to their information and what type of access they can have. System owners assess and determine access rights based on their discretion, which is a core characteristic of DAC.

A key point of DAC is the flexibility it provides to resource owners, empowering them to grant or restrict access to their files. This contrasts with other access control models, such as Mandatory Access Control (MAC), where permissions are preset by administrative policies and users have no discretion in modifying them.

While system administrators may enforce these permissions technically and ensure compliance with security policies, they do not have the authority to set permissions for the data themselves unless explicitly delegated by the owners. External auditors typically do not decide access but evaluate whether the policies and access controls are effective and compliant. Although all users may have the ability to request access, they do not control or determine the permissions for assets they do not own.