This tutorial aims to provide a clear understanding of two types of access control: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). By the end of this tutorial, you'll be able to differentiate between MAC and DAC, understand their usage, and how they contribute to securing applications.
You will learn:
- The basics of Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
- Differences between MAC and DAC
- Practical examples of how to implement both access control types
Prerequisites:
Basic understanding of system security concepts and familiarity with any programming language are recommended but not mandatory.
MAC is a security model where access rights are regulated by a central authority based on multiple levels of security. The operating system constrains the ability of a subject or initiator to access or perform some sort of operation on an object or target.
Example: In a system using MAC, the system administrator sets the policy which the system enforces without exception. Users cannot override or change this policy either accidentally or intentionally.
DAC is a security model where the owner of the object specifies which subjects can access specific resources. This model allows permissions to be changed dynamically based on the discretion of the user.
Example: In a file system that uses DAC, a user might be able to set a file to be shared with specific users, or even make it publicly accessible.
This example shows a simple implementation of MAC in Python. In this case, the operating system (represented by the OS class) controls the access to the File.
class OS:
def __init__(self):
self._files = {}
def create_file(self, name, user):
if user.level >= 5: # Only users with level 5 or higher can create files.
self._files[name] = File(name, user)
else:
raise PermissionError(f'User {user.name} does not have the required level to create files.')
def read_file(self, name, user):
file = self._files.get(name)
if not file or file.owner.level > user.level: # User can only read files from their level or below.
raise PermissionError(f'User {user.name} does not have permission to read file {name}.')
return file.data
This example shows a simple implementation of DAC in Python. In this case, the File owner controls who can access it.
class File:
def __init__(self, name, owner):
self.name = name
self.owner = owner
self._data = ''
self._permissions = {owner: 'rw'} # Owner has read and write permissions.
def read(self, user):
if 'r' in self._permissions.get(user, ''):
return self._data
else:
raise PermissionError(f'User {user.name} does not have read permission.')
def write(self, user, data):
if 'w' in self._permissions.get(user, ''):
self._data = data
else:
raise PermissionError(f'User {user.name} does not have write permission.')
def share(self, user, permissions):
if self.owner == user: # Only the owner can share the file.
self._permissions[user] = permissions
In this tutorial, we've covered the basics of Mandatory and Discretionary Access Control, including their differences, uses, and how they contribute to maintaining security within an application. MAC is centrally controlled and doesn't allow users to override the access policy, while DAC allows owners to set permissions at their discretion.
Solutions
1. Solution 1: DAC is more appropriate when users need flexibility to control their own data, like in a shared document system. MAC is more appropriate when strict control is needed over all data, such as in a military system.
2. Solution 2: The solution will vary, but should demonstrate an understanding of when to use each type of access control and how to implement it in code.