Discretionary Access Privileges
The central system administrator usually determines who is granted access to specific resources and maintains the access control list. In distributed systems, however, end users may control (own) resources. Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt the budgeting manager makes to add, delete, or change the general ledger will be denied. Discretionary access control needs to be closely supervised to prevent security breaches resulting from too liberal use.