“Access control defines power — and with DAC, that power belongs to the data owner.” – Luke Ahmed

Today is Day 40 of Yihenew’s CISSP study plan, focusing on Discretionary Access Control (DAC) — one of the core access models in cybersecurity and a frequent source of confusion on the CISSP exam.

DAC grants data owners the discretion to decide who can access their resources. It’s flexible, but with that flexibility comes risk. Understanding DAC helps you recognize where human judgment intersects with security policy — a balance every CISSP must manage.

Key Areas Covered in the CISSP Study Plan

• Definition:Discretionary Access Control (DAC) allows the data owner to determine who has access to their resources and what level of access they receive.

• How It Works:

  • Access is typically controlled through Access Control Lists (ACLs) or capability tables.

  • The system enforces the permissions set by the resource owner.

  • Example: In Windows, file permissions (read, write, execute) set by a user reflect DAC principles.

• Advantages:

  • Flexible and user-friendly

  • Common in commercial and personal systems

  • Easy to implement at small scale

• Disadvantages:

  • Susceptible to privilege misuse or accidental sharing

  • Difficult to manage in large enterprises

  • Dependent on user responsibility — not suitable for highly classified environments

• CISSP Context:DAC contrasts with MAC (Mandatory Access Control), where access is governed by system-enforced classifications rather than owner decisions.

CISSP Exam Tie-In

CISSP questions on access models often present scenarios involving file ownership or user-granted permissions — these describe DAC.If you see a phrase like “the data owner decides who can access their files”, the correct answer is Discretionary Access Control.

Also, remember:

• DAC → Owner decides

• MAC → System decides

• RBAC → Role decides

Quick CISSP Practice Question

In which access control model does the data owner have full authority to grant or revoke access to resources?

A. Mandatory Access Control (MAC)

B. Role-Based Access Control (RBAC)

C. Attribute-Based Access Control (ABAC)

D. Discretionary Access Control (DAC)

✅ Correct Answer: D. Discretionary Access Control (DAC)

Explanation:DAC gives data owners direct control over access rights. This flexibility is useful but can lead to inconsistent enforcement if not properly monitored.

Think Like a Manager:Security shouldn’t rely solely on good intentions — DAC works best when balanced by governance and monitoring. A CISSP thinks in terms of control assurance, not convenience.

Check out Yani's TikTok or see Day 39 or Day 41.

👉 Can you take the Yani Challenge?

55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:

Course

Luke's CISSP Course (2 months access, $89.98)

One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)

Books, Notes, and Practice Questions

All-In-One Study Guide by Shon Harris (Around $45)

Sybex 10th Edition (Around $52.55)

Official CISSP Practice Tests, 4th Edition by Mike Chapple & David Seidl (Around $35)

How To Think Like A Manager for the CISSP Exam ($29.99)

Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.

📚 Study Plan (55 Days of Dedication):

- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).

- Weekends: 5–6 hours of deep study sessions.

Pass CISSP in first attempt within 100 questions.

Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.

If Yihenew could do it, so can you.

All the best Future CISSP. You can feel free to contact me anytime as well.

Thank you.

Luke Ahmed