Discretionary access control (DAC) is an access-control model where the owner of a resource decides who can access it and what they can do with it, usually enforced through access control lists (ACLs).
Discretionary access control (DAC) is a way of deciding who gets into a resource where the owner makes the call. If you create a file, you control who reads it, edits it, or deletes it. That permission is "discretionary" because it's left to your discretion, not locked down by a central policy.
DAC usually runs on access control lists (ACLs), which are basically a guest list attached to each resource. The list says which users (or groups) can do what. This sits in the authorization step of security, which is what happens right after authentication. Authentication answers "who are you?" by checking a factor like a password. Authorization then answers "what are you allowed to touch?" DAC is one model for answering that second question.
DAC lives in Unit 4: Securing Devices, alongside topic 4.2 Authentication. It supports learning objective AP Cybersecurity 4.2.C, where you determine how a system verifies a user's identity, and it connects directly to the authorization that follows. Once a user proves who they are with a knowledge, possession, biometric, or location factor (EK 4.2.C.1), DAC decides what that verified user can actually access. Knowing DAC matters because it's one of the named access-control models you compare against MAC, RBAC, and RuBAC, and those comparisons are exactly the kind of distinctions the exam wants you to make.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryMandatory Access Control (MAC) (Unit 4)
MAC is the opposite philosophy of DAC. In MAC, a central policy and security labels decide access, not the resource owner, so a user can't hand out permissions even if they want to. DAC trusts the owner; MAC trusts the system.
Access Control List (ACL) (Unit 4)
An ACL is the tool DAC usually uses to enforce its rules. Think of the ACL as the actual guest list and DAC as the rule that says the owner gets to write that list.
Authentication (Topic 4.2)
Authentication and DAC are two halves of one door. Authentication checks your factor to confirm your identity (EK 4.2.C.1), and only then does DAC's access list decide which rooms you're allowed into.
Role-Based Access Control (RBAC) (Unit 4)
RBAC grants access based on your job role instead of an owner's choice. Comparing it to DAC shows the spectrum: DAC is per-owner and flexible, RBAC is per-role and standardized.
Expect DAC in multiple-choice questions that describe a scenario and ask you to name the access-control model in play. The giveaway phrase is the resource owner setting permissions. You'll also see DAC paired against MAC, RBAC, and RuBAC in "which model best fits this situation" questions, so be ready to spot the difference rather than just define one term. No released FRQ uses "discretionary access control" verbatim, but the concept supports authorization reasoning under AP Cybersecurity 4.2.C, where you explain how a verified user's access is controlled after login.
DAC and MAC both control access, but who decides is the whole difference. In DAC the resource owner chooses who gets in and can pass those permissions along. In MAC a central authority sets fixed rules using security labels, and individual owners can't override them. If the question says an owner shares a file, that's DAC; if a system enforces classification levels no user can change, that's MAC.
Discretionary access control (DAC) means the owner of a resource decides who can access it and what they can do.
DAC is usually enforced through access control lists (ACLs), which act as a per-resource guest list.
DAC is the authorization step that happens after authentication confirms a user's identity under AP Cybersecurity 4.2.C.
The key contrast is DAC versus MAC: DAC trusts the owner, while MAC trusts a central policy using fixed security labels.
On the exam, the phrase 'the owner sets permissions' is your strongest clue that a scenario describes DAC.
It's an access-control model where the owner of a resource decides who can access it and what actions they can take, usually managed through access control lists. It falls under authorization in Unit 4's topic 4.2 Authentication.
No. DAC lets the resource owner choose who gets access, while MAC uses a central policy and security labels that owners cannot override. Watch the question for who is making the access decision.
DAC grants access based on what the owner decides per resource, while RBAC grants access based on your assigned job role. DAC is flexible and owner-driven; RBAC is standardized and role-driven.
Authorization does. Authentication first confirms your identity using a factor like a password (EK 4.2.C.1), and then DAC decides what that verified user is allowed to access.
Look for a scenario where the owner of a file or system sets the permissions, such as a user sharing a document with specific people. Owner control points straight to DAC.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.