The Difference Between DAC and MAC Access Control Models

Access control is a vital physical practice that helps enterprises protect their physical and cyber assets. IT administrators use several types of access control mechanisms to restrict users from accessing unauthorized locations throughout the premises. Discretionary Access Control (DAC) and Mandatory Access Control (MAC) are two popular strategies.


Discretionary access control is a protocol that grants or prohibits user access to suites, rooms and other parts of a building. Whether a user receives access is determined by the system administrators. These administrators create access policies to give other users administrative privileges to control the level of security.

With DAC, the user identity is represented by credentials, which often take the form of physical key fobs, cards, mobile keys or a combination of username and password. This is why DAC is called an identity-based access control mechanism.

Access management through DAC includes the administrator generating an access control report (ACL) that lists which users have access to a particular space, room or area based on his or her role and what it requires. The administrator then controls the access type of other users as well.


Mandatory access control is an access control mechanism that provides users with access to a room or a part of the building based on security titles assigned to them by the security administrator. With MAC, admins have full control of how users gain access to the computer system for a higher level of security.

MAC considers two important aspects while granting or limiting user’s access to a particular part of the building:

  • The level of restriction assigned to a room.  
  • The authorization of the user to access the room with a particular restriction level.

With MAC,  the security administrator defines the level of restriction using a hierarchy of security labels. These may include titles like Restricted (Level 1), Secret (Level 2), and Top Secret (Level 3). Additionally, the security administrator groups the employees based on their roles or other parameters and assigns a security label to them. When a user attempts to access a room, the security kernel checks the user’s security label and gives access to only rooms the security label entitles them to.

This article provides the pros and cons of MAC and DAC and identifies various scenarios and examples where they can be used.

When is Discretionary Access Control Used?

Discretionary access control is the most suitable access control mechanism for small and medium-scale enterprises (SMEs) with limited IT staff.  Since SMEs often lack a sufficient budget for a dedicated IT helpdesk, they will let users manage their accesses.

Discretionary access control may not be suitable for organizations that have several restricted areas within the building. For instance, DAC is not suitable for a hospital that has several restricted areas.

Pros and Cons of DAC

DAC is a cost-effective access control mechanism. The implementation of DAC is not complex as it allows users to manage their credentials. DAC allows users to configure their access parameters without the need for an administrator. It reduces administrative overheads significantly. Adding and removing users is easy with DAC. DAC is responsive to the business needs of an enterprise.Physical security is the biggest concern with DAC. It makes restricted areas vulnerable to theft and vandalism. DAC systems lack negative authorization power. Security administrators have limited control over how resources or data are shared within the organization.
person walking through turnstile. Person using access control

When is Mandatory Access Control Used?

Organizations that prioritize physical security over operating costs and operational flexibility should use MAC. It is most suitable for government organizations, hospitals, militaries and law enforcement organizations that operate in restricted environments. These organizations can use MAC to ensure that employees only have access privileges to authorized rooms. 

Several large-scale private enterprises would also use MAC to protect the physical assets such as servers, electricity panels and inventories. By implementing MAC, enterprises ensure that only authorized people have access to the respective areas.

Pros and Cons of MAC

It offers a high level of protection to physical assets. Users cannot enter into restricted rooms without the permission of the security administrator.MAC does not give flexibility for users to set access rights and object access parameters. The administrator will control who will access what area within a building. Since users cannot declassify and share data, MAC systems restrict trojan horse attacks and security breaches. MAC is difficult to set up, program, and maintain.Manual configuration of security labels and access levels takes time.Scalability is the biggest concern with MAC.Higher dependency on security administrators.MAC is not user-friendly as users may need to put a request for each part of the building they want to access. 

What is Role-Based Access Control (RBAC)?

Many private companies avoid using MAC because of its difficulty maintain. However, they combine MAC with other access control strategies such as role-based access control (RBAC) and DAC. The combination helps reduce setup difficulties and increases convenience for users.

For instance, the security administrator can combine MAC with the RBAC model to speed up the process of creating user profiles. RBAC enables security administrators to group employees based on their roles, job positions or department. Then, they can issue a relevant security label.

Security administrators will also combine MAC with DAC to increase the flexibility for users to access and share the information. This combination secures sensitive data while allowing employees to share relevant information within the local area network.

genea user for access control illustration

Genea Security: A Future-First Solution

Enterprises use a wide range of access control mechanisms, including MAC, DAC, and RBAC to ensure only authorized people can access the information. However, not all of these mechanisms operate on similar principles. Furthermore, they aren’t suitable for all enterprises.

IT directors should have a thorough understanding of their security needs to choose a suitable access control mechanism. MAC may be suitable for large-scale enterprises that give high priority to physical security over operating flexibility. DAC may be suitable for SMEs that cannot afford to spend huge money on IT staff, physical security and data security.

Genea is a leading access control solutions provider in the United States. It offers a wide range of solutions, including cloud-based access control, touchless visitor management, video integrations and more.

With Genea’s cloud-based access control system, security teams can adopt role-based access control to create and manage access credentials. It helps enterprises restrict the entry of unauthorized employees into critical areas of the building, which may include server rooms, board rooms, locker rooms, and electricity rooms.

Genea’s cloud-based access control can also be integrated with Okta’s Identity Management to automate access control workflows and revoke access permissions of users to sensitive information with a single mouse click from a remote location.

Schedule a demo to learn how Genea’s access control solutions can facilitate role-based access control to restrict unauthorized users from accessing sensitive data.  

Subscribe to our blog!

Get the latest news, product updates, and other property tech trends automatically in your inbox.