In which access control model does the department have discretion over granting access to individuals within policy standards?

Discretionary access control lets the owner of a resource decide who can access it and what level of access they receive, as long as it stays within the policy guidelines. In this model, the department that owns the resource has the authority to grant or revoke permissions for individuals, and these permissions are typically tracked in access control lists or capability-based tokens. This mirrors real-world practice where a manager or owner can delegate access to team members at their discretion, within the overarching policy. This differs from a centralized, mandatory approach where access is dictated by fixed security labels and clearances set by a central authority, leaving little room for the owner to grant exceptions. It also differs from policy-based approaches that enforce access decisions strictly according to predefined policies and attributes, rather than owner-approved permissions. Delegated access control describes the act of delegating authority to grant access, which is a facet of discretionary control but not the fundamental model described when the owner retains the primary discretion within policy.