DAC in AP Cybersecurity

DAC (Discretionary Access Control) is an access control model where the owner of a resource decides who can access it and what they can do, usually managed through access control lists. It connects to authentication and authorization in AP Cybersecurity Unit 4.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is DAC?

DAC stands for Discretionary Access Control. The key word is "discretionary" because access is left to the discretion of the resource owner. If you create a file, you get to decide who else can read, write, or run it. There's no central authority overriding your call.

Think of it like sharing a Google Doc. You own it, so you choose who gets viewer, commenter, or editor access. That's DAC in action. Behind the scenes, those permissions are tracked in an access control list (ACL), which pairs each user or group with the rights they have on the resource. DAC is the most common access control model you'll bump into on everyday systems like Windows and Linux file permissions, precisely because it's flexible and puts owners in charge.

Why DAC matters in AP Cybersecurity

DAC lives in Unit 4: Securing Devices, specifically around Topic 4.2 Authentication and the authorization that follows it. Once an authentication mechanism verifies who you are (the job of [AP Cybersecurity 4.2.C]), an access control model decides what you're allowed to do. DAC is one of the answers to that second question. Understanding it helps you reason about why locking down login settings ([AP Cybersecurity 4.2.D]) matters, because if an attacker steals an owner's credentials under DAC, they inherit that owner's power to grant access to others. The exam wants you to tell access control models apart and match each to the right scenario.

Keep studying AP Cybersecurity Unit 4

How DAC connects across the course

MAC (Mandatory Access Control) (Unit 4)

MAC is DAC's strict cousin. Instead of owners deciding access, a central policy and security labels do, so a user can't just hand out permissions. DAC trusts the owner; MAC trusts the system.

Access Control List (Unit 4)

The ACL is how DAC actually stores its decisions. Each entry says which user or group can do what to a resource, so DAC without an ACL is just an idea with no enforcement.

RBAC (Role-Based Access Control) (Unit 4)

RBAC assigns permissions to roles rather than individuals or owners. Where DAC lets one owner grant access ad hoc, RBAC says 'all managers can see payroll,' which scales better in big organizations.

Authentication (Topic 4.2)

Authentication and DAC are a two-step handshake. Authentication confirms your identity using factors like passwords or biometrics, then DAC uses that confirmed identity to look you up in the ACL and decide your access.

Is DAC on the AP Cybersecurity exam?

Expect DAC to show up in multiple-choice questions that hand you a scenario and ask which access control model fits. The giveaway phrase is that the resource owner sets permissions. You should be able to contrast DAC with MAC, RBAC, and RuBAC quickly, since the exam loves to test whether you can match a model to who controls access. No released FRQ has used DAC verbatim, but the concept supports any answer about authorization and how access decisions get made after authentication. Practice spotting the trigger words: 'owner decides' means DAC, 'central labels' means MAC, 'job role' means RBAC.

DAC vs MAC (Mandatory Access Control)

Both control who can access a resource, but the difference is who's in charge. Under DAC, the resource owner chooses and can pass access along at their discretion. Under MAC, a central authority enforces fixed security labels and the owner can't override them. Quick memory hook: DAC is Discretionary (owner's choice), MAC is Mandatory (system's rule).

Key things to remember about DAC

  • DAC stands for Discretionary Access Control, where the owner of a resource decides who can access it.

  • DAC permissions are typically stored and enforced through an access control list (ACL).

  • Authentication confirms your identity first, then DAC uses that identity to decide what you're allowed to do.

  • DAC differs from MAC because owners control access in DAC, while a central authority enforces it in MAC.

  • On the exam, the phrase 'the owner sets permissions' is the signal for DAC.

Frequently asked questions about DAC

What is DAC in cybersecurity?

DAC is Discretionary Access Control, an access control model where the owner of a file or resource decides who can access it and what they can do. Those decisions are usually recorded in an access control list (ACL).

Is DAC the same as MAC?

No. In DAC the resource owner controls access and can grant it to others at their discretion, while in MAC a central authority enforces fixed security labels that owners can't override. DAC is flexible; MAC is strict.

How is DAC different from RBAC?

DAC ties access to the resource owner's choices, often per user. RBAC ties access to roles, so permissions are assigned to a job role like 'manager' and anyone in that role inherits them, which scales better for large organizations.

Is DAC on the AP Cybersecurity exam?

Yes, access control models including DAC appear in Unit 4 around authentication and authorization. You'll most likely see it in multiple-choice questions asking you to match a scenario to the right model.

Where would I see DAC in real life?

Standard file permissions on Windows and Linux use DAC, and so do shared documents where you pick who gets view or edit access. If you can choose who you share something with, that's DAC at work.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.

DAC — AP Cybersecurity Definition & Exam Guide | Fiveable