Which security model restricts access based on the owner's policy?

Discretionary access control is a security model that allows the owner of a resource to determine who has access to it. In this model, the resource owner can grant or revoke access rights to other users or groups based on their own personal policies or preferences. This means that the owner has the discretion to decide who can access their data, which can lead to flexible sharing but may also introduce risks if not managed properly.

This contrasts with the other models listed. Mandatory access control operates on a stricter framework where access is regulated based on predefined policies and rules that users cannot change. Role-based access control assigns permissions based on the role of a user within an organization, rather than on individual ownership. Attribute-based access control grants access based on specified attributes of the user or resource, adding another layer of complexity and policy-based decision-making beyond individual discretion.

By centralizing access decisions around the owner's policy in discretionary access control, it upholds a more personal and potentially adaptable approach to security, adapting to the unique needs of resource sharing among users.