Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects.