Overview#In computer security, discretionary access control DAC is a type of Access Control Model defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
The controls are discretionary in the sense that a Digital Subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other Digital Subject (unless restrained by Mandatory Access Control)".
Discretionary access control is commonly discussed in contrast to Mandatory Access Control or MAC.
Occasionally a system as a whole is said to have "discretionary" or "purely discretionary" access control as a way of saying that the system lacks mandatory access control. On the other hand, systems can be said to implement both Mandatory Access Control and Discretionary Access Control simultaneously, where Discretionary Access Control refers to one category of access controls that Digital Subjects can transfer among each other, and Mandatory Access Control refers to a second category of Access Controls that imposes constraints upon the first.