Conquer the 2026 CISSP Challenge – Master Your InfoSec Skills with Confidence!

Discretionary access control (DAC) primarily restricts access based on the identity of users and their group memberships, allowing resource owners the ability to dictate who can access their resources. In a DAC model, the owner of a resource has the authority to grant or restrict access to other users or groups, which gives them significant control over who can interact with their data or files. This model is often seen in operating systems and applications where users determine access levels, relying on their own discretion to control permissions.

The other options do not accurately represent the essence of DAC. While security levels and organizational policies can play roles in access control mechanisms, they are not central to the DAC model. DAC specifically focuses on user identity and group association, which reflects the autonomy afforded to the resource owner. The concept of resource ownership is indeed pivotal in DAC, but it is the dynamic between user identities and their permissions that fundamentally drives the access decisions under this model.