A means of restricting access to Resources based on the identity of persons and/or groups to which they belong. The controls are discretionary in the sense that a person with certain access permission is capable of passing that permission (perhaps indirectly) on to any other person (unless restrained by Mandatory Access Control). An example of DAC would be the access awarded to the payroll department to view payroll information.