The discretionary access control method is used to grant permissions at DBMS level and is based on the use of access control lists assigned to each system object.
NOTE. The discretionary access control is available for the simultaneous use with mandatory access-control method, access separation method by levels, attribute-based method. When discretionary method and attribute-based method are used simultaneously, it is available to combine permissions in the access control.
To provide security, the access control is used for every object and subject either an explicit or mediated access. The mediated access is the access to the child objects with explicit operations with a parent object, for example, access to the cube on opening a report.
Access permissions are determined for each object. Access permissions determine the set of operations, which a security subject is allowed to execute with an object. Access permissions include view, modify, delete object permissions, and so on. Each object class has its own set of access permissions.
The list of access control determines:
Subjects who can access a specific object.
Operations, which the specific subject is allowed or prohibited to execute for a specific object.
Access permissions are accumulated from the sets of access permissions of separate subjects. Operation prohibition has a higher priority than the permission, regardless of whether the operation is prohibited for a single subject or a group of subjects. This means that when the access control list contains two subjects (a group of users and a user included in this group), and a permission to access some object is granted to the user group, while in the other subject this permission is denied to a specific user in this group, after the permissions are accumulated, this user does not have access to this object.
To use the discretionary access control method:
Select the Use Discretionary Access Control checkbox on the Access Control tab of the policies editor.
Create user accounts and groups of users.
Set object access permissions.
Before enabling the user a certain action, the system checks the access control list to see if this user and the groups that include this user as their member have the corresponding permission. If the user or the group has this permission, the system enables the user to execute the operations, otherwise the operations are denied. A prohibition always has priority over a permission.
See also: