Definition

mandatory access control (MAC)

Rahul Awati

By

Rahul Awati

What is mandatory access control (MAC)?

Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system. MAC criteria are defined by the system administrator, strictly enforced by the operating system (OS) or security kernel, and cannot be altered by end users.

MAC is a method or access control policy aimed at restricting access to a resource (also known as an object) based on two key factors: the sensitivity of the information contained in that resource and the authorization level of the user trying to access that resource and its information.

A list of four types of access control. — Mandatory access control is one of four types of access control.

Security teams or admins define whether a resource is sensitive or not by applying a security level, such as "Restricted," "Confidential," "Secret," or "Top Secret," to it and assigning the resource to a security category, such as "Department M" or "Project X." Together, the security level and security category constitute the security label. Admins also assign a security clearance level to each authorized user to determine which resource they can access.

Once the label is applied and the MAC policy is finalized, users can only access those resources (or the information within resources) that they are entitled to access. For example, User A may be entitled to access the information within a resource labeled "Department M Restricted," but User B may not have the same authority. Similarly, User B may be entitled to access the resource labeled "Project X Confidential," but User A may not be authorized to do so.

Why is mandatory access control used?

MAC is an important method of data access control. It is often used to protect information which if compromised or loss may cause damage to the organization. This information may be private, sensitive, confidential or restricted. Examples include the following:

Trade secrets.
Blueprints.
Strategic or merger and acquisition plans.
Intellectual property.
Personally identifiable information.
Financial information and transactions.
Protected health information.
Customer information.

In the wrong hands, these types of information can cause financial or reputational harm to a business or government. That's why it's crucial to protect the information, maintain its confidentiality, integrity and availability -- also known as the CIA triad -- and ensure that only authorized users can access the information. Here's where implementing MAC can be useful.

How is mandatory access control used?

Often employed in government and military facilities, mandatory access control works by assigning a classification label to each file system object. In addition, each user is assigned a security or clearance level. They may access the object or resource only if their security level is equal to or greater than the resource's classification label ("Restricted," "Confidential," etc.).

When a person or device tries to access a specific resource, the OS or security kernel will check the entity's credentials to determine whether access will be granted. While MAC is the most secure access control setting available, it requires careful planning and continuous monitoring to keep all resource objects' and users' classifications up to date.

The administrator plays a key role in setting and enforcing MAC and maintaining its hierarchical model. This person or these persons set all user permissions and controls who can access what. Due to such centralized and tight administration, non-admin users cannot set their own permissions. They also cannot access resources that correspond to a security level that's higher than theirs in the hierarchy.

What are the basic principles of mandatory access control?

MAC is based on several principles that, when followed, help control access to data, protect the data, and maintain its confidentiality. One such principle is that MAC is always centrally managed by an administrator. This person is responsible for setting security clearances for users and security labels for resources.

Another principle is that users can only access the resources for which they have been granted clearance. Next, users cannot make changes to their permissions or clearance levels, even if they own the resource. Finally, no user can grant privileges to other users or change the MAC rules governing access control. They also cannot access or edit someone else's information without explicit permission to do so.

Benefits and drawbacks of mandatory access control

MAC is considered a highly secure way of controlling access to sensitive or confidential resources and the information contained within them. It is particularly useful for preserving the confidentiality of data. Since the administrator controls which user has access to which resource, users also cannot make access changes, which might compromise the security of a resource. These benefits make MAC suitable for protecting sensitive data in government and military settings.

A list of challenges encountered during access control. — All types of access control have their drawbacks.

One disadvantage of MAC is that it can be difficult to manage because the burden of configuring and maintaining all accesses falls on the administrator, particularly as the number of systems and users increases. For the same reason, MAC is not suitable for applications with many users, such as internet-based applications.

Another drawback of MAC is that it can be expensive to implement. Clearing users to access one or more resource types can be time consuming and costly. The cost and effort increase further when different confidentiality levels or security domains must be applied within the same IT system. For these reasons, the method is not often used in budget-constrained corporate environments.

What is the difference between mandatory access control and discretionary access control?

As the highest level of access control, MAC can be contrasted with lower-level discretionary access control (DAC), which lets individual resource owners make their own policies and assign security controls.

Unlike MAC, DAC provides users some control over their data resources. For example, document creators can determine who can access the document and what kind of privileges those users will have. The administrator is not required to control accesses and set privileges.

Another difference is that MAC implementation is based on resource sensitivity levels and permissions are not stored in access control lists (ACLs). In contrast, permissions in DAC are stored in ACLs, which are created and maintained by the administrator.

DAC is somewhat easier to implement since it doesn't require centralized administration. However, it is a less secure method of controlling data access since it doesn't require assigning labels to objects and clearances to users.

Learn more about how identity and access management plays a role in the importance of business frameworks.

This was last updated in November 2023

Next Steps

How do mandatory access control and application sandboxing differ?

Continue Reading About mandatory access control (MAC)

Learn SELinux commands for management and troubleshooting

Top 10 enterprise data security best practices

Want to get cloud IAM right? Master the fundamentals

Data classification: What it is and why you need it

The importance of data security in the enterprise

Dig Deeper on Identity and access management

Search Networking

How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Connectivity kicks in for Sunderland at the Stadium of Light
Sunderland AFC enhances high-demand density connectivity coverage, capacity and performance across stadium involving leading ...
Chinese cyber spooks lure laid-off US government workers
A Washington DC-based think tank has published evidence that Chinese intelligence services have been running a network of digital...
Trump visit bolsters Saudi AI
A new AI datacentre is among the initiatives the White House announced during the president’s Middle East visits

Close