The most frequently used operating systems with integrated security features (like Unix, Windows NT) use a security approach that is based on discretionary access control (DAC). DAC does not deal with data-¯ow, but access rights, which are assigned to subjects or objects. A subject is granted or denied access to an object based on its identity and assigned rights. In this paper, we present a method for ®nding all allowed data-¯ow paths within an arbitrary computer network that has a DAC-based security system. Of course, the organisation, from the point of view of the management, determines what is allowed and what is not allowed. So the organisational environment in which the computer network is integrated has to be considered. The DAC-based security system has to ful®l the requirements of the organisation. The computer network is modelled as a graph. Each node represents a resource and may have assigned to it some users together with their access rights for this resource. Each edge represents possible data-¯ow between the nodes it connects. Network resources as well as users also belong to the organisational model. This model is also described by a graph. It consists of labelled edges describing the hierarchical relationship between the connected nodes. Nodes in this model stand for organisational units. The model of the computer network and the model of proposed data-¯ow in the organisation can be compared with each other. Such a comparison highlights any inconsistencies between the two models. This allows us to improve the security setupÐeither by adjusting the con®guration until the needs of the organisation are met or by implementing some organisational guidelines to overcome the problems. The proposed method is supported by a security tool named SecSim1 (Security Simulator Version 1). This tool supports the data input for the two models and also performs the comparison. It thus serves as a proof of our proposed concept.