Access Control Based on Privileges or Discretionary Access Control

Access Control Based on Privileges or Discretionary Access Control

• Discretionary Access Control (DAC) is a access control mechanism based on privileges.

• Types of discretionary privileges: The DBMS must provide selective access to each relation in the database on specific accounts. This selective access is known as privileges. There are two levels for assigning privileges for using Database systems and these are -

   • The account level: At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database.

   • Relation(or table) level: At this level, the DBA can control the privilege to access each individual relation or view in the database.

• For granting the privileges, the access control mechanism follows an authorizationof (a model for discretionary privileges known as the access matrix model.

• The access matrix is a table with rows and columns. It defines the access permissions.

   • The rows of a matrix M represent subjects (users, accounts, programs)

   • The columns represent objects (relations, records, columns, views, operations).

   • Each position M(i, j) in the matrix represents the types of privileges (read, write, esdstab update) that subject i holds on object j.

   • For example -

• Discretionary Access Control allows each user or subject to control access to their own data.

• In DAC, owner of resource restricts access to the resources based on the identity of users.

• DAC is typically the default access control mechanism for most desktop operating doy systems.

• Each resource object on DAC based system has Account Control List (ACL) associated with it.

• An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group.

• For example - The ACL is an object centered description of access rights as follows-

test1.doc: {Prajka: read}

test2.exe: {Ankita: execute}, {Prajkta: execute}

test3.com: (Ankita: execute, read}, {Prajkta: execute, read, write}

• Object access is determined during Access Control List (ACL) authorization and based on user identification and/or group membership.

• Under DAC a user can only set access permissions for resources which they already own.

• Similarly a hypothetical user A cannot change the access control for a file that is owned by user B. User A can, however, set access permissions on a file that he/she Jono owns.

• User may transfer object ownership to another user(s).

• User may determine the access type of other users.

• The DAC is easy to implement access control model.

Advantages:

(1) It is flexible.

(2) It has simple and efficient access right management.

(3) It is scalable. That means we can add more users without any complexity.

Disadvantages:

(1) It increases the risk that data will be made accessible to users that should not necessarily be given access.

(2) There is no control over information flow as one user can transfer ownership to another user.