DAC
Discretionary access control is used by the owner of a file to restrict a user's access to that file. With DAC, an access control list (ACL) is maintained that lists the users with access and what type of access they have. ACLs can be stored as part of the file, in a file, or in a database.

You need to be aware of the many risks associated with DAC. These risks are inherent because there is no centralized administration, as each file owner controls the access level to his or her personal files. Some owners might not be security conscious, and as a result, they might either inadvertently or intentionally allow all users to modify any file they own. Some of the risks that you must be aware of and will have to mitigate include the following:

Software might be executed or updated by unauthorized personnel.

Confidential information might be accidentally or deliberately compromised by users who are not intended to have access.

Auditing of file and resource accesses might be difficult.

The assumption of DAC is that the owner or administrator of the information has the knowledge, skill, and ability to limit access appropriately and control who can see or work with the information.

Managing Users with Groups
On a large network or a small one, one of your tasks when managing a secure environment is to provide users with access to the resources they need. With the number of computers on a corporate network, and the number of users that need access to networked resources, managing access control can be a challenge. To manage users in this environment, you must manage groups of users as opposed to individual users by grouping users together and assigning permissions to groups rather than individuals.

With discretionary authentication, the ACL can become quite large if individual users are added. This can become difficult to manage and can impact the overall system performance as well. In addition, as users leave or change positions, their access capabilities change. Using groups with intuitive names to populate ACLs and adding users to the groups is a better, more secure management technique.

MAC
Mandatory access control is a nondiscretionary control also known as multilevel security. You classify all users and resources and assign a security label to the classification. Access requests are denied if the requestor's security label does not match the security label of the resource. MAC is typically used only by organizations with high security requirements and clear policies and procedures, such as the military.

A classification level specifies the level of trust associated with the resource, and there are three major classification levels: top secret, confidential, and unclassified. Classification levels have an implicit level of trust with higher classifications. For example, confidential classification has an implicit trust with top secret; therefore a person with top secret access also has access to resources that are labeled as confidential.

Access is granted to the user if his or her classification is equal to or higher than the classification of the resource he or she wishes to access. MAC techniques reduce the need for you to maintain ACLs because the access decision logic is built into the classification hierarchy.

Although MAC and RBAC assume a set of formal rules, they differ in the management approach. With MAC, information is categorized according to sensitivity and not subject matter. Data about the same general subject matter can have multiple sensitivity ratings. People and processes within this type of management structure are determined by the kinds of sensitivity levels they are allowed to access.

RBAC
In role-based access control, information is categorized according to subject matter, which might reflect some sensitivity criteria inherent in the environment. Persons and processes are identified for access to the information by the role they play within the enterprise. For example, people in the budget department could access and use sensitive budget data, whereas people in other parts of the enterprise would be denied access to such information.

RBAC is an alternative to DAC and MAC, giving you the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. You can assign a collection of users to a single role. For example, you might assign an administrative role to one or more system administrators responsible for maintaining your enterprise server.

Roles are mapped to a particular resource or a particular user group. When roles are mapped to a resource, the resource name defined in the role is verified and then it is determined if access is permitted to proceed. When roles are mapped to a group, the role group is compared with the group associated with a resource to determine whether the operation is permitted to proceed. Such role-based access control requires that a list of roles be maintained and that mappings from role to user or user group be established