Mandatory access control (MAC)

Mandatory access control is the principle of restricting access to objects based on the sensitivity of the information that the object contains and the authorization of the subject to access information with that level of sensitivity. This type of access control is mandatory in the sense that subjects cannot control or bypass it. The security administrator (the user with the RACF® SPECIAL attribute) defines the sensitivity of each object by means of a security label. This security label indicates the hierarchical level or classification of the information (such as Top Secret, Secret, Sensitive), and indicates to which non-hierarchical category the information belongs within that level (such as Project A, Project B). The security administrator also controls each subject's access to information by specifying which security labels the subject can use. A subject can access information in an object only when the subject's security label entitles the access. If the subject's security label does not have enough authority, the subject cannot access the information in the object. For more information about security labels, see Security labels.