The scenario describes Discretionary Access Control (DAC). In a DAC model, the owner of an object (such as a file or directory) has the discretion to decide which subjects (users or groups) can access it and what privileges they have (e.g., read, write, execute). This control is typically managed through an Access Control List (ACL) associated with the object, which is precisely what the question outlines. The key characteristic is that the control over access is decentralized and lies with the object's owner.

A. RBAC: In Role-Based Access Control (RBAC), access is determined by the user's assigned role within the organization, not by the discretion of an object's owner.

B. MAC: In Mandatory Access Control (MAC), access decisions are made by a central authority and enforced by the system based on security labels, overriding any owner's wishes.

C. CIA: This is the security triad (Confidentiality, Integrity, Availability), which represents the fundamental goals of information security, not a type of access control mechanism.

1. National Institute of Standards and Technology (NIST) Special Publication 800-192

Verification and Test Methods for Access Control Policies/Models.

Section 2.1

Page 3: "In a system with DAC

an individual user

the owner of an object

can grant or deny access to that object to other users. Access control is at the discretion of the owner." This directly supports the correct answer.

2. Ferraiolo

D. F.

& Kuhn

D. R. (1992). Role-Based Access Control. 15th National Computer Security Conference.

Section 2.1

"Discretionary Access Control": The paper contrasts RBAC with traditional models

stating

"With DAC

the owner of an object has the discretion of granting access to that object to other users." This academic source clearly defines the principle described in the question.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278–1308.

Section I.A.3

"Checking Authorization": This foundational paper discusses access control matrices and lists (ACLs) as a mechanism where "the owner of the segment may be permitted to grant and revoke access to others

" which is the essence of DAC. (DOI: https://doi.org/10.1109/PROC.1975.9939)

4. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014. Lecture 3: Privilege Separation.

Section on "Access control models": The course materials differentiate between DAC

where users control access to their own files

and MAC

where a system-wide policy dictates access based on security labels. This aligns with the provided explanation.