Types of Discretionary Privileges

Discretionary Privileges in Access Control:
Discretionary Access Control is a mechanism that allows the owner of a resource to control who has access to that resource and what actions they can perform on it. The term “discretionary” implies that the owner has the discretion to decide who is granted access and what privileges they are granted.

In a discretionary access control system, each resource is assigned a unique owner account, which is responsible for managing access to that resource. The owner has the ability to grant or revoke access privileges, such as reading or modifying data, to other users or groups of users.

This type of access control offers a high degree of flexibility, as the owner can dynamically adjust the access privileges for a resource to suit their needs. For example, if a user is no longer authorized to access a resource, the owner can simply revoke their privileges.

However, the owner’s discretion must be exercised responsibly, as granting too many privileges to the wrong people can lead to security breaches and other problems. Therefore, it is important to carefully consider who is granted discretionary privileges and what actions they are allowed to perform on a resource.

In conclusion, discretionary privileges play a crucial role in access control systems, allowing owners to manage and control access to their resources. However, these privileges must be granted and managed with care to ensure the security and protection of sensitive information.

Privilege allow a user to access some data in a certain manner either to read or to write or to delete etc. Types of Discretionary Privileges : Discretionary Access Control includes granting and revoking of the privileges which are known as Discretionary privileges.This access control consists of an owner account for each resource and the owner account can control the access of privileges like read the data or modify data of database. There are two levels of Discretionary privileges in the database system :

In a database system, the Database Administrator (DBA) has the responsibility of specifying the privileges that each account holds. These privileges are set at the account level, independent of any relationships within the database.

The DBA can grant the following privileges to an account:

• CREATE SCHEMA or CREATE TABLE: the ability to create new relations or tables within the database.
• ALTER: the ability to make changes to the schema, such as adding or removing attributes from relations.
• DROP: the ability to delete relations or views.
• MODIFY: the ability to insert, delete, or update data within the database.
• SELECT: the ability to retrieve information from the database.

These privileges give the account holder varying degrees of control over the database and its contents. The DBA must carefully consider the level of access they grant to each account to ensure the security and protection of sensitive information.

1. Relation / Table Level – It is the second level of privileges which is applied to the relation level. This includes tables or relations and virtual relations known as views. A user who has created a database object such as a table or a view will get all privileges on that object.This user is the holder of owner account which is created for each relation. In this level, an owner account is created for each relation and this account will also have right to pass the privileges to other users by GRANTING privileges to their accounts. The granting and revoking of discretionary privileges can be done by using a model known as access matrix model. This model specifies rights of each subject for each object.

Access matrix Model :

Here, Mary has only read privilege on file1 she can’t modify that file1. So, we can represent the privileges of each subject on each object. The matrix M consists of rows which resembles subjects like users, accounts and the columns resembles objects like relations, views.Each position M(i,j) in the matrix represents the types of privileges like read, write, update that subject i holds on object j.