In Discretionary Access Control the subject has authority, within certain limitations,
Click on the arrows to vote for the correct answer
A. B. C. D.B.
With Discretionary Access Control, the subject has authority, within certain limitations, to specify what objects can be accessible.
For example, access control lists can be used.
This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access.
When a user, within certain limitations, has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control.
In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.
References: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33
and HARRIS, Shon, All-In-One CISSP Certification Exam Guide 5th Edition, McGraw-Hill/Osborne, 2010, Chapter 4: Access Control (page 210-211).
Discretionary Access Control (DAC) is a type of access control system in which the owner or administrator of a resource, such as a file or a database, has the authority to determine who can access that resource and what level of access they are granted. The owner or administrator can also specify what actions users are permitted to perform on the resource, such as reading, modifying, or deleting it.
In DAC, the subject (i.e., the user or process requesting access) has authority, within certain limitations, to specify what objects can be accessible. This means that the user or process can determine which resources they can access, based on their own discretion.
Therefore, the correct answer to the question is option B - "the subject has authority, within certain limitations, to specify what objects can be accessible."
Option A, "the subject is not permitted to specify what objects can be accessible, and an independent third party is needed to specify what objects can be accessible," is incorrect because it contradicts the definition of DAC, where the owner or administrator has the authority to determine access.
Option C, "the subject can specify on an aggregate basis without understanding what objects can be accessible," is also incorrect because it implies that the subject can specify access without knowing what they are accessing, which is not a characteristic of DAC.
Option D, "the subject can specify in full detail what objects can be accessible," is too extreme because the subject's authority is limited to certain restrictions, and they may not have the ability to specify in full detail which objects can be accessible.
In summary, DAC grants the owner or administrator of a resource the authority to determine who can access it and what level of access they have. Within certain limitations, the subject (user or process) can specify which objects can be accessible, making option B the correct answer.