Mandatory Access Control vs Discretionary Access Control [MiniTool Wiki]
Mandatory Access Control Definition
What is mandatory access control? In computer security, mandatory access control (MAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria. Relying on MAC, operating system (OS) or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.
In the case of OS, a subject is usually a process or thread and objects are constructs like files, directories, shared memory segments, ports (TCP or UDP), as well as input/output (I/O) devices. Subjects and objects each have a set of security attributes.
Whenever a subject tries to access an object, an authorization rule enforced by the system kernel will check those security attributes and determine whether to allow the access or not. Any operation by any subject on any object is tested against the set of authorization rules/policy to decide whether the operation can take place or not.
In the case of the database, the mandatory access control can also apply to the database’s access control mechanism. Yet, in a database, the objects are tables, views, procedures, and so on.
Traditionally, mandatory access control has been closely associated with multilevel security (MLS) and specialized military systems. Under such a condition, MAC implies a high degree of rigor to meet the restriction of MLS systems.
However, mandatory access control has deviated out of the MLS niche and become more mainstream. Recent MAC implementations like SELinux and AppArmor for Linux and mandatory integrity control for Windows allow administrators to focus on problems such as malware and cyberattacks without the rigor or constraints of MLS.
According to the reports, many users said the “access control entry is corrupt” error popping up would appear after they click OK to save the changes.
Discretionary Access Control Definition
What is discretionary access control? In computer security, discretionary access control (DAC) refers to a kind of access control to restrict access to objects. It is based on the identity of subjects or groups or both to which they belong.
The controls are discretionary in the sense that a subject with certain access permission can pass that permission, maybe indirectly, onto any other subject unless restricted by mandatory access control.
Usually, discretionary access control is discussed in contrast to mandatory access control. Casually, a system as a whole is considered as “purely discretionary” or “discretionary” access control as a way of expressing that the system lacks MAC.
On the other hand, systems can be said to adopt both mandatory and discretionary access controls at the same time, where DAC refers to one category of access controls that subjects can transfer among each other whereas MAC refers to a second category of access controls imposing constraints upon the first.
Discretionary Access Control vs Mandatory Access Control
What are the differences between discretionary and non-discretionary (mandatory) access control? Continue reading.
1. MAC versus DAC: Permission for Subject Access to Object
With MAC, the security rules are controlled by a security policy administrator centrally. Users don’t have the right to override the policy or grant access to files. Otherwise, access to the files will be restrained.
MAC-enabled systems allow policy administrators to apply organization-wide security policies. Under mandatory access control, users are not able to override or modify this policy, neither intentionally nor accidentally. This enables security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.
On the contrary, DAC, which also controls the ability of subjects to access objects, endues users the ability to make policy decisions or assign security attributes.
Do you want to get rid of PS4 cannot access system storage issue easily and effectively? Now, we will show you some available solutions in this post.
2. Mandatory vs Discretionary Access Control Pros and Cons
Mandatory access control advantages and disadvantages
- High-level data protection
- User access rights and object access parameters are manually set up by an administrator
- Good defense against malware and virus
- Inconvenient for users to access data
- No automatic scalability
- Constant attention is needed for management
Advantages and disadvantages of discretionary access control
- Flexible access control policy
- Convenient for users to access files
- Easy management
- Low security level
- Inconvenient to find access parameters since no centralized access management
Are you Dell Data Protection users? If so, you probably know that Dell Data Protection gets its sunset and try to find a replacement like MiniTool ShadowMaker.
The following is a table comparing discretionary and mandatory access control.
|Access control type||DAC||MAC|
|Access control enforced by||Administrators and users||Administrators and OS|
|Easy to use||Yes||No|
|Applied for||Small and mid-sized businesses or similar||Military, government, law enforcement, etc.|