Which model allows the resource owner to specify access permissions for each user?

Discretionary Access Control (DAC) is a model in which resource owners have the authority to specify access permissions for their resources. In this approach, individuals or entities that own resources can determine who can access those resources and to what extent. This level of control offers flexibility, as the resource owner can grant and revoke permissions based on specific needs or situations.

For example, in a file system employing DAC, the user who creates a file has the ability to decide which users can read, write, or execute that file. This aspect of user control is a key characteristic of DAC, distinguishing it from other models where permissions are managed based on policies that don’t grant individual resource owners the same level of discretion.

In contrast, Rule-Based Access Control relies on system-defined rules to grant or deny access, while Mandatory Access Control enforces strict policies that prohibit users from changing access permissions. Role-Based Access Control, on the other hand, assigns permissions based on predefined roles within an organization, not allowing individual users the same flexibility that DAC does. Hence, DAC is the correct choice for a model that allows resource owners to tailor access permissions for each user.