An access control model where resources are protected by inflexible, system-defined rules and resources and users are allocated a clearance level is called which?

• A. Attribute-Based Access Control (ABAC)
• B. Least Privilege
• C. Rule-Based Access Control
• D. Mandatory Access Control (MAC)

Answer: (D)

Mandatory access control relies on centralized, non-discretionary protection where every resource and user is tagged with a security label or clearance. Access decisions are made by the system by comparing the subject’s clearance with the object’s classification. If the subject’s clearance is equal to or higher than the object’s classification, access is allowed; otherwise, it’s denied. Because the policy is inflexible and defined by the system, it ensures consistent protection and prevents users from bypassing controls or sharing permissions. This model is common in high-security environments, where sensitive information is strictly controlled and access is governed by fixed rules rather than owner discretion.