Web Security / Authorization

Understanding mandatory and discretionary access control

In this tutorial, we'll cover two types of access control: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). We'll explore their differences, uses, and how th…

Tutorial 4 of 5 5 resources in this section
Sections Cryptography Authentication Authorization Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) SQL Injection Security Misconfigurations Sensitive Data Exposure Broken Authentication and Session Management XML External Entity (XXE) Attacks

Section overview

5 resources

The process of verifying what a user has access to.

1. Introduction

This tutorial aims to provide a clear understanding of two types of access control: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). By the end of this tutorial, you'll be able to differentiate between MAC and DAC, understand their usage, and how they contribute to securing applications.

You will learn:
- The basics of Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
- Differences between MAC and DAC
- Practical examples of how to implement both access control types

Prerequisites:
Basic understanding of system security concepts and familiarity with any programming language are recommended but not mandatory.

2. Step-by-Step Guide

Mandatory Access Control (MAC)

MAC is a security model where access rights are regulated by a central authority based on multiple levels of security. The operating system constrains the ability of a subject or initiator to access or perform some sort of operation on an object or target.

Example: In a system using MAC, the system administrator sets the policy which the system enforces without exception. Users cannot override or change this policy either accidentally or intentionally.

Discretionary Access Control (DAC)

DAC is a security model where the owner of the object specifies which subjects can access specific resources. This model allows permissions to be changed dynamically based on the discretion of the user.

Example: In a file system that uses DAC, a user might be able to set a file to be shared with specific users, or even make it publicly accessible.

3. Code Examples

Example 1: Implementing MAC

This example shows a simple implementation of MAC in Python. In this case, the operating system (represented by the OS class) controls the access to the File.

class OS:
    def __init__(self):
        self._files = {}

    def create_file(self, name, user):
        if user.level >= 5:  # Only users with level 5 or higher can create files.
            self._files[name] = File(name, user)
        else:
            raise PermissionError(f'User {user.name} does not have the required level to create files.')

    def read_file(self, name, user):
        file = self._files.get(name)
        if not file or file.owner.level > user.level:  # User can only read files from their level or below.
            raise PermissionError(f'User {user.name} does not have permission to read file {name}.')
        return file.data

Example 2: Implementing DAC

This example shows a simple implementation of DAC in Python. In this case, the File owner controls who can access it.

class File:
    def __init__(self, name, owner):
        self.name = name
        self.owner = owner
        self._data = ''
        self._permissions = {owner: 'rw'}  # Owner has read and write permissions.

    def read(self, user):
        if 'r' in self._permissions.get(user, ''):
            return self._data
        else:
            raise PermissionError(f'User {user.name} does not have read permission.')

    def write(self, user, data):
        if 'w' in self._permissions.get(user, ''):
            self._data = data
        else:
            raise PermissionError(f'User {user.name} does not have write permission.')

    def share(self, user, permissions):
        if self.owner == user:  # Only the owner can share the file.
            self._permissions[user] = permissions

4. Summary

In this tutorial, we've covered the basics of Mandatory and Discretionary Access Control, including their differences, uses, and how they contribute to maintaining security within an application. MAC is centrally controlled and doesn't allow users to override the access policy, while DAC allows owners to set permissions at their discretion.

5. Practice Exercises

  1. Exercise 1: Describe a situation where DAC would be more appropriate than MAC, and vice versa.
  2. Exercise 2: Implement a simple system in your preferred programming language that uses both MAC and DAC, and explain why you chose to use each where you did.

Solutions
1. Solution 1: DAC is more appropriate when users need flexibility to control their own data, like in a shared document system. MAC is more appropriate when strict control is needed over all data, such as in a military system.
2. Solution 2: The solution will vary, but should demonstrate an understanding of when to use each type of access control and how to implement it in code.

Need Help Implementing This?

We build custom systems, plugins, and scalable infrastructure.

Discuss Your Project
Previous Tutorial Next Tutorial

Related topics

Keep learning with adjacent tracks.

View category

HTML

Learn the fundamental building blocks of the web using HTML.

Explore

CSS

Master CSS to style and format web pages effectively.

Explore

JavaScript

Learn JavaScript to add interactivity and dynamic behavior to web pages.

Explore

Python

Explore Python for web development, data analysis, and automation.

Explore

SQL

Learn SQL to manage and query relational databases.

Explore

PHP

Master PHP to build dynamic and secure web applications.

Explore

Popular tools

Helpful utilities for quick tasks.

Browse tools

Scientific Calculator

Perform advanced math operations.

Use tool

Countdown Timer Generator

Create customizable countdown timers for websites.

Use tool

Keyword Density Checker

Analyze keyword density for SEO optimization.

Use tool

Meta Tag Analyzer

Analyze and generate meta tags for SEO.

Use tool

Random Password Generator

Create secure, complex passwords with custom length and character options.

Use tool

Latest articles

Fresh insights from the CodiWiki team.

Visit blog

AI in Drug Discovery: Accelerating Medical Breakthroughs

In the rapidly evolving landscape of healthcare and pharmaceuticals, Artificial Intelligence (AI) in drug dis…

Read article

AI in Retail: Personalized Shopping and Inventory Management

In the rapidly evolving retail landscape, the integration of Artificial Intelligence (AI) is revolutionizing …

Read article

AI in Public Safety: Predictive Policing and Crime Prevention

In the realm of public safety, the integration of Artificial Intelligence (AI) stands as a beacon of innovati…

Read article

AI in Mental Health: Assisting with Therapy and Diagnostics

In the realm of mental health, the integration of Artificial Intelligence (AI) stands as a beacon of hope and…

Read article

AI in Legal Compliance: Ensuring Regulatory Adherence

In an era where technology continually reshapes the boundaries of industries, Artificial Intelligence (AI) in…

Read article

Need help implementing this?

Get senior engineering support to ship it cleanly and on time.

Get Implementation Help