Mandatory access control
Mandatory access control
(also MAC)
Mandatory access control definition
Mandatory access control is an access control model where access to resources (such as files or network services) is managed by a central authority (such as an administrator or security officer). Based on the organization’s security policies, the central authority determines what attributes the user needs (such as role, location, or operating system) to access a particular resource.
See also: discretionary access control, access control entry, broken access control, network access control
Types of mandatory access control
- Label-based: Each resource is assigned a security label that defines its sensitivity level, which is then compared to the security label of the user or process requesting access. Label-based mandatory access control systems are used in operating systems like SELinux.
- Role-based: Users are assigned specific roles (such as “administrator” or “user”) that determine their level of access to resources. Operating systems like Windows and AIX make use of role-based mandatory access control systems.
- Rule-based: Access to resources is determined by a set of rules set out by the system administrator. Rule-based mandatory access control is often used in MLS systems.
- Attribute-based: Access is based on the attributes of the resource and the user. This allows individual users to access resources beyond the scope of their role without changing the underlying rules. Attribute-based mandatory access control is used in security systems such as XACML and ABACUS.