nerdexam
(ISC)2

CISSP · Question #260

A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach

The correct answer is A. Administrator should request data owner approval to the user access. In a Discretionary Access Control (DAC) environment, the data owner holds the authority to grant or deny access to their resources, making owner approval the required step before any access is provisioned.

Submitted by manish99· Mar 5, 2026Identity and Access Management

Question

A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take?

Options

  • AAdministrator should request data owner approval to the user access
  • BAdministrator should request manager approval for the user access
  • CAdministrator should directly grant the access to the non-sensitive files
  • DAdministrator should assess the user access need and either grant or deny the access

How the community answered

(30 responses)
  • A
    80% (24)
  • B
    3% (1)
  • C
    7% (2)
  • D
    10% (3)

Why each option

In a Discretionary Access Control (DAC) environment, the data owner holds the authority to grant or deny access to their resources, making owner approval the required step before any access is provisioned.

AAdministrator should request data owner approval to the user accessCorrect

Under DAC, access control decisions are at the discretion of the data owner, not the administrator or manager. The administrator's role is to facilitate access requests by obtaining approval from the owner of the resource, who retains ultimate authority over who can access their data. Even for non-sensitive files, bypassing the data owner's approval violates the DAC model's foundational principle.

BAdministrator should request manager approval for the user access

Manager approval is associated with role-based or organizational approval workflows, not the DAC model, where the data owner-not the user's manager-controls access rights to specific resources.

CAdministrator should directly grant the access to the non-sensitive files

Directly granting access without data owner approval violates the DAC principle, which explicitly reserves access-granting authority for the resource owner, regardless of the sensitivity level of the files.

DAdministrator should assess the user access need and either grant or deny the access

The administrator independently assessing and deciding on access contradicts the DAC model; in DAC, the administrator acts on behalf of or with authorization from the data owner, not on their own judgment.

Concept tested: Discretionary Access Control data owner approval authority

Source: https://csrc.nist.gov/glossary/term/discretionary_access_control

Topics

#Discretionary Access Control (DAC)#data owner#access request#access control models

Community Discussion

No community discussion yet for this question.

Full CISSP Practice