Which type of access control system operates on a "deny" or "allow" basis?

The correct answer is Discretionary Access Control (DAC), as this type of access control system is structured around the principle that the owner of the resource (such as files, data, or systems) has the discretion to determine who is allowed to access that resource and what level of access they have. In a DAC system, access is granted or denied based on the owner's permissions.

This framework allows owners to "allow" or "deny" access to users on an individual basis, often resulting in more flexible yet potentially less secure controls, as permissions can be easily shared or altered by resource owners. Overall, DAC aligns with the scenario described, where access is determined primarily by the decisions of the resource controller.

Other types of access control, such as Mandatory Access Control (MAC), typically rely on a central authority to dictate security levels and access rights, which does not fit the "deny" or "allow" model dictated by individual discretion. Role-Based Access Control (RBAC) assigns access based on predefined roles and their capabilities rather than individual permissions, while Physical Access Control pertains to the management of physical entry to spaces rather than data or file access, hence not directly relevant to the question.