The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights.