MAC vs. DAC: Comparing Access Control Fundamentals

Mandatory Access Control (MAC) and Discretionary Access Control (MAC) are longstanding, common terms in the Identity Access Management (IAM) field. In this blog, we will differentiate between these two access control strategies and help you understand which is the most suitable choice in the context of modern applications and access control.

First, let’s go over the basics:

• Mandatory Access Control (MAC) is an access control strategy in which access control decisions are limited directly to software developers or system administrators, ensuring strict, system-level control.
• Discretionary Access Control (DAC) is an access control strategy in which users have direct influence over access control decisions regarding their own data.

While commonplace, as we will soon see, using these terms as-is might be a little too limited for the current application-level access control landscape. We’ll also discuss how the two can be combined together to fit more modern approaches to authorization.

MAC and DAC - a Brief History

Before the Internet era, when operating systems managed different users and permissions without the need for online collaboration, MAC and DAC became fundamental in defining how users and processes access applications.

These two access control strategies offer different approaches to managing authorization and are very relevant today as they shape our thinking about implementing access control.

Let’s dive into each of these models in further detail.

What is Mandatory Access Control (MAC)?

Mandatory Access Control (MAC) is a security model that strictly controls access to information based on predefined policies set by a central authority. As mentioned previously, in MAC, the system enforces access rules without giving users the ability to modify permissions for their own data. This model is primarily designed to support confidentiality, ensuring that sensitive information is only accessible to pre-authorized users - making it a highly secure but inflexible model.

MAC Implementation and Examples

MAC is commonly used in highly sensitive environments. These systems use strict policies to ensure that information remains secure and inaccessible to unauthorized users.

Consider, for example, developing an application for the Windows operating system. You want to ensure that no other process can access the data in your application unless explicitly allowed by you. MAC limits access to the data based on predefined policies set by the developer or system administrator, ensuring only the intended user can access the application.

MAC: Strengths and Limitations

Strengths:

• Strict Security: As mentioned above, MAC provides a very secure environment by strictly enforcing access rules.
• Confidentiality: Ensures that sensitive information is only accessible to users with the appropriate clearance.
• Centralized Control: Administrators have full, direct control over access policies, reducing the risk of unauthorized access.

Limitations:

• Complexity: Managing and maintaining strict access policies can be complex and time-consuming, requiring direct intervention by a system administrator for both setting up and managing every policy.
• User Experience: As users do not have access to make changes in permissions, this approach is unfit for dynamic environments where data sharing and collaboration are important.
• Scalability Issues: In large organizations, having administrators manage individual permissions can become inefficient and harm the service's usability.

What is Discretionary Access Control (DAC)?

Discretionary Access Control (DAC) is a strategy that grants users control over their own data. Unlike MAC, where access decisions are made by the system administrators or developers, DAC allows the data owners to decide who can access their data and what actions they can perform. This model emphasizes flexibility and user autonomy.

DAC Implementation and Examples:

DAC is widely used in environments where user flexibility and data sharing are essential. A common traditional example is the way file permissions are managed in operating systems like Windows or Unix. Users can create files and folders and then set permissions to determine who else can read, write, or execute those files.

Another common example is found in social networking platforms. Users can choose who sees their posts, who can comment, and who can share their content. This level of control allows users to manage their privacy and interactions directly.

DAC: Strengths and Limitations

Strengths:

• Flexibility: Users can quickly and easily share data and collaborate with others without the need for administrative intervention for every policy change. With appropriate user interfaces in place, making policy changes is a very straightforward process.

Limitations:

• Security Risks: As users control their own permissions, misconfigurations can violate the principle of least privilege, resulting in unauthorized access.

DAC’s emphasis on user control makes it an excellent choice for collaborative environments and applications where data sharing and user autonomy are crucial. However, its potential security risks and scalability challenges need to be carefully managed to ensure data remains secure.

MAC vs. DAC

The Limitations of Using MAC and DAC in Modern Applications

The strict definitions of Mandatory Access Control (MAC) and Discretionary Access Control (DAC) face significant challenges based on the evolving nature of modern Internet applications, data, and user expectations. There are a few reasons for that:

First is the distributed nature of applications. As modern applications are often distributed across multiple microservices, it is often the case that each requires varying access requirements. Relying solely on MAC imposes rigid controls that may not align with modern applications' flexible and user-managed nature, while strict adherence to DAC in a distributed environment can lead to a chaotic backend that is difficult to manage and support.

Second, is the sheer amount of data generated by modern applications. While traditionally, developers had a clear understanding of the data being processed and its structure, modern applications generate vast and unpredictable amounts of data. Enforcing MAC in such a landscape is difficult, as predefined policies may not account for all possible data types and interactions. DAC, on the other hand, requires anticipating various data types and their usage, which is nearly impossible in modern applications due to their versatility.

Third, user expectations regarding data privacy and ownership have also evolved significantly. While MAC can provide reassurance about data privacy through strict controls, it can also negatively impact user experience. Users today expect to have control over who can access their data, and MAC is bound to hurt this autonomy. DAC, on the other hand, aligns well with user expectations of control and flexibility, but it can lead to security risks if users misconfigure permissions.

Choosing Between MAC and DAC

Considering all the factors described above, the choice between MAC and DAC when considering access control implementation strategies in modern applications becomes quite redundant. Applications today cannot be expected to strictly adhere to either MAC or DAC exclusively, requiring a more nuanced approach to access control.

Both MAC and DAC have their strengths, and using a combination of both can help address the diverse security needs of different parts of an application. Let’s see how to two can be combined:

Combining MAC and DAC:

The most effective way to choose between MAC and DAC is to integrate both models into different parts of your application:

• MAC for Core Security: Use MAC to enforce strict access control for critical application components where security is non-negotiable. This includes database access, inter-service communication, and other backend operations where precise control is essential.
• DAC for User Experience: Implement DAC in areas where user flexibility and control are paramount. This includes front-end interactions, user-generated content, and any features that require users to manage their own permissions and data-sharing preferences.

Front-End vs. Back-End:

Different parts of an application can benefit from different access control models:

• Front-End Applications and APIs: For the frontend, where user interaction is a priority, fine-grained discretionary access control (DAC) is often more suitable. This allows users to manage role assignments and data ownership, providing them with the flexibility to control their own permissions.
• Back-End Systems and Databases: In contrast, the back-end, such as databases and core services, benefits from the strict control provided by MAC. Mandatory access control ensures that only authorized services and users can communicate with each other, maintaining a high level of security and preventing unauthorized access to sensitive data. This is especially important for maintaining the integrity of critical data and ensuring compliance with security policies.

MAC and DAC with Permit.io

At Permit.io, we aim to help you leverage both MAC and DAC principles effectively. We encourage our users to enforce MAC on the persistence layer. This helps ensure all data storage and critical backend services maintain high-security standards, guaranteeing sensitive data is protected from unauthorized access. Then, rather than enforcing FGA strictly at the database level, we help our users implement a DAC layer across the backend, API, and frontend, that can be controlled by both developers and end users (Within safe boundaries defined by the developers) through our no-code UI, Policy as Code, and APIs. This allows both application users and developers to have the maximum amount of flexible control over their data and permissions while maintaining overall security.

One of the benefits Permit.io offers when it comes to policy configuration is our native support for the software development lifecycle and the CI/CD pipelines used in modern applications.
Permit is commonly used for creating baseline MAC policies that are only available to automated CI/CD processes. These policies are configured by developers and business users (such as product managers and security architects), and there is also a DAC layer where end-users can proactively assign permissions.

What Did We Learn?

Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are two critical access control strategies in Identity Access Management (IAM).

While MAC provides strict security and centralized control, it can be inflexible and challenging to manage in dynamic, collaborative environments. On the other hand, DAC offers flexibility and user autonomy, making it ideal for environments where data sharing and user control are essential, but it comes with potential security risks and scalability challenges.

The choice between MAC and DAC is not an either/or decision. Instead, it involves strategically combining both models to leverage their respective strengths. By combining MAC for core security and DAC for user experience, developers can create secure, efficient, and adaptable applications that meet today's diverse requirements.

At Permit.io, we exemplify this balanced approach by enforcing MAC on the persistence layer and implementing a comprehensive DAC layer across the backend, API, and frontend. This approach ensures high security for critical backend services while providing flexible control for users and developers, ultimately enhancing both security and user experience.