This section goes further in-depth into the subject of access control models (ACMs). We begin by pointing out the inevitable tradeoff that seems to always exist when it comes to technology, whether it be trading off speed for cost or ease of use for tighter security, there's usually one lurking just below the surface. In the case of access control systems, the degree of security of the system is proportional to its user-friendliness. We'll see examples of this in action shortly. The first ACM we examine is DAC or discretionary access control. In a nutshell, the security of an object is based on the discretion of the object's owner. This type of model promotes sharing and ease of use. A folder belongs to its owner who in turn gives permission to others to access it based on their discretion. Prime examples of such a systems are the Windows operating systems along with Unix, Linux, and most other personal computer OSes. The heart and soul of the DAC model are access control lists (ACLs). Such systems are also referred to as identity-based systems where resource access is bound to the user's identity. We then jump to the other end of the spectrum and examine the MAC (Mandatory Access Control) model. This is the most secure of the models. In this model data owners are not permitted to grant access. Instead, a security label system is used and labels are assigned by an ultimate authority such as a government security officer. In order to be granted access to an object, the subject's label must dominate (be equal to or higher) than the object's label. In other words, access to objects is at your level or below only. This model is most commonly used in government environments where classified data is in effect: top secret, secret, and classified. Finally, we have a look at the RBAC (Role-based Access Control) model. This model addresses the issue of privilege creep via the revocation of credentials as user roles change. A user's privileges are based on their function within the organization and these privileges and permissions can't be changed. This model is sort of the best of both worlds in that a high level of security is enforced without the risk of authorization creep.