The subject has authority, within certain limitations, to specify what objects are accessible.

For example, access control lists can be used.

An access control list (ACL) is a list denoting which users have what privileges to a particular resource.

For example, a tabular listing would show the subjects or users who have access to the object, FILE X, and what privileges they have with respect to that file.

An access control triple consists of the user, program, and file with the corresponding access privileges noted for each user.

This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access. When a user within certain limitations has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control.

An identity-based access control is a type of discretionary access control based on an individuals identity. In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.