Identity & Access
Mandatory Access Control (MAC)
Also known as: MAC, Non-discretionary access control
Definition
An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.
Examples
- SELinux blocking a web server process from reading /etc/shadow even when running as root.
- A classified system preventing a Secret user from writing to an Unclassified directory.
Related terms
Discretionary Access Control (DAC)
An access-control model in which the owner of a resource decides who can access it and what operations they can perform.
Role-Based Access Control (RBAC)
An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
Attribute-Based Access Control (ABAC)
An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request.
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
Authorization
The process of deciding what an already-authenticated identity is allowed to do — which resources, actions and conditions are permitted.
System Hardening
Reducing the attack surface of a system by removing unnecessary features, tightening configurations, and enforcing secure defaults.