What is Mandatory Access Control (MAC) based on?

Mandatory Access Control (MAC) operates primarily on the principle of assigning security labels to both subjects (users or processes) and objects (files, directories, etc.). These security labels classify information based on its sensitivity level, such as "confidential," "secret," or "top secret." The access control policies are enforced by the system and can only be modified by a centralized administrator, not by individual users.

In this framework, access rights are contingent upon the labels assigned to both the user and the objects they attempt to access. For example, a user with a "top secret" clearance can access files labeled as "top secret" but may be restricted from accessing "confidential" or "secret" files if their clearance does not allow it. This creates a robust security model that ensures that access is tightly controlled and regulated, enhancing data protection and preventing unauthorized access based on specific classifications.

Other concepts, such as user location, organizational policies, and individual permissions set by administrators, typically do not define the essence of MAC, which is distinctly focused on predetermined classifications and labels rather than user roles or approvals.