---
title: "Discretionary Access Control — AP Cybersecurity Definition"
description: "Discretionary access control (DAC) lets the owner of a resource decide who gets access, a key access-control model in AP Cybersecurity Unit 4 authentication and authorization."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Discretionary Access Control — AP Cybersecurity Definition

## Definition

Discretionary access control (DAC) is an access-control model where the owner of a resource decides who can access it and what they can do with it, usually enforced through access control lists (ACLs).

## What It Is

Discretionary access control (DAC) is a way of deciding who gets into a resource where the **owner** makes the call. If you create a file, you [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") who reads it, edits it, or deletes it. That permission is "discretionary" because it's left to your discretion, not locked down by a central policy.

DAC usually runs on **[access control](/ap-cybersecurity/key-terms/access-control "fv-autolink") lists (ACLs)**, which are basically a guest list attached to each resource. The list says which users (or groups) can do what. This sits in the *authorization* step of security, which is what happens right after authentication. Authentication answers "who are you?" by checking a [factor](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink") like a password. Authorization then answers "what are you allowed to touch?" DAC is one model for answering that second question.

## Why It Matters

DAC lives in **[Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices**, alongside topic 4.2 Authentication. It supports learning objective **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 4.2.C**, where you determine how a system verifies a user's identity, and it connects directly to the authorization that follows. Once a user proves who they are with a knowledge, possession, biometric, or location factor (EK 4.2.C.1), DAC decides what that verified user can actually access. Knowing DAC matters because it's one of the named access-control models you compare against MAC, RBAC, and RuBAC, and those comparisons are exactly the kind of distinctions the exam wants you to make.

## Connections

### Mandatory Access Control (MAC) (Unit 4)

MAC is the opposite philosophy of DAC. In MAC, a central policy and security labels decide access, not the resource owner, so a user can't hand out permissions even if they want to. DAC trusts the owner; MAC trusts the system.

### Access Control List (ACL) (Unit 4)

An ACL is the tool DAC usually uses to enforce its rules. Think of the ACL as the actual guest list and DAC as the rule that says the owner gets to write that list.

### Authentication (Topic 4.2)

[Authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink") and DAC are two halves of one door. Authentication checks your factor to confirm your identity (EK 4.2.C.1), and only then does DAC's access list decide which rooms you're allowed into.

### Role-Based Access Control (RBAC) (Unit 4)

[RBAC](/ap-cybersecurity/key-terms/rbac "fv-autolink") grants access based on your job role instead of an owner's choice. Comparing it to DAC shows the spectrum: DAC is per-owner and flexible, RBAC is per-role and standardized.

## On the AP Exam

Expect DAC in multiple-choice questions that describe a scenario and ask you to name the access-control model in play. The giveaway phrase is the resource *owner* setting permissions. You'll also see DAC paired against MAC, RBAC, and RuBAC in "which model best fits this situation" questions, so be ready to spot the difference rather than just define one term. No released FRQ uses "discretionary access control" verbatim, but the concept supports authorization reasoning under AP Cybersecurity 4.2.C, where you explain how a verified user's access is controlled after login.

## discretionary access control vs Mandatory access control (MAC)

DAC and MAC both control access, but who decides is the whole difference. In DAC the resource owner chooses who gets in and can pass those permissions along. In MAC a central authority sets fixed rules using security labels, and individual owners can't override them. If the question says an owner shares a file, that's DAC; if a system enforces classification levels no user can change, that's MAC.

## Key Takeaways

- Discretionary access control (DAC) means the owner of a resource decides who can access it and what they can do.
- DAC is usually enforced through access control lists (ACLs), which act as a per-resource guest list.
- DAC is the authorization step that happens after authentication confirms a user's identity under AP Cybersecurity 4.2.C.
- The key contrast is DAC versus MAC: DAC trusts the owner, while MAC trusts a central policy using fixed security labels.
- On the exam, the phrase 'the owner sets permissions' is your strongest clue that a scenario describes DAC.

## FAQs

### What is discretionary access control in AP Cybersecurity?

It's an access-control model where the owner of a resource decides who can access it and what actions they can take, usually managed through access control lists. It falls under [authorization](/ap-cybersecurity/key-terms/authorization "fv-autolink") in Unit 4's topic 4.2 Authentication.

### Is discretionary access control the same as mandatory access control?

No. DAC lets the resource owner choose who gets access, while MAC uses a central policy and security labels that owners cannot override. Watch the question for who is making the access decision.

### How is DAC different from RBAC?

DAC grants access based on what the owner decides per resource, while RBAC grants access based on your assigned job role. DAC is flexible and owner-driven; RBAC is standardized and role-driven.

### Does authentication or authorization use DAC?

Authorization does. Authentication first confirms your identity using a factor like a password (EK 4.2.C.1), and then DAC decides what that verified user is allowed to access.

### What's the easiest way to spot DAC on the exam?

Look for a scenario where the owner of a file or system sets the permissions, such as a user sharing a document with specific people. Owner control points straight to DAC.

## Related Study Guides

- [4.2 Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control#resource","name":"Discretionary Access Control — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:28.145Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control#term","name":"discretionary access control","description":"Discretionary access control (DAC) is an access-control model where the owner of a resource decides who can access it and what they can do with it, usually enforced through access control lists (ACLs).","url":"https://fiveable.me/ap-cybersecurity/key-terms/discretionary-access-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is discretionary access control in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's an access-control model where the owner of a resource decides who can access it and what actions they can take, usually managed through access control lists. It falls under [authorization](/ap-cybersecurity/key-terms/authorization \"fv-autolink\") in Unit 4's topic 4.2 Authentication."}},{"@type":"Question","name":"Is discretionary access control the same as mandatory access control?","acceptedAnswer":{"@type":"Answer","text":"No. DAC lets the resource owner choose who gets access, while MAC uses a central policy and security labels that owners cannot override. Watch the question for who is making the access decision."}},{"@type":"Question","name":"How is DAC different from RBAC?","acceptedAnswer":{"@type":"Answer","text":"DAC grants access based on what the owner decides per resource, while RBAC grants access based on your assigned job role. DAC is flexible and owner-driven; RBAC is standardized and role-driven."}},{"@type":"Question","name":"Does authentication or authorization use DAC?","acceptedAnswer":{"@type":"Answer","text":"Authorization does. Authentication first confirms your identity using a factor like a password (EK 4.2.C.1), and then DAC decides what that verified user is allowed to access."}},{"@type":"Question","name":"What's the easiest way to spot DAC on the exam?","acceptedAnswer":{"@type":"Answer","text":"Look for a scenario where the owner of a file or system sets the permissions, such as a user sharing a document with specific people. Owner control points straight to DAC."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"discretionary access control"}]}]}
```
