By analyzing the traditional discretionary access control (DAC) and role-based access control (RBAC), a novel unified model which is a combination of RBAC and DAC nested within each other is proposed. The outer layer of the model is traditional RBAC management mechanism, and the internal control is a DAC construction based on RBAC2. Besides, the formal description and application examples are also given. The new model, which makes up for the lack of the two traditional access control methods, is flexible to authorize, simple to manage and safe to access.