Mandatory access control (MAC) is an approach to system security where an administrator sets access controls and the system enforces them, without allowing users to override security settings. This can be a more aggressive way to control access to a system and may be used in situations where computers contain confidential or potentially compromising data. The system decides which users, processes, and devices should have access to which areas, and enforces this across the board.
A system administrator can use preset mandatory access control guidelines based on user profiles, and can also add measures into the system. This allows administrators to fine-tune access within a system. Once these settings are implemented, only the administrator can override them. The system cannot grant access to an entity without the proper clearance, even if it attempts to override the setting. This covers not just computer users but also any devices and processes connected to the system.
This contrasts with another approach, known as discretionary access control. In this model, users can override security settings; for example, a user could tell a directory to show all hidden files, and it would have to do so. This is less secure, as users get to decide how much access they should have. If they encounter access barriers, they can simply work around them, rather than being repelled from an area where they should not be, as under mandatory access control.
For a high security system, mandatory access control is very important. Such systems rely on controls to maintain the security and confidentiality of information. Government agencies, financial companies, and other organizations that maintain complex and personal data must keep it secure. Sometimes this is mandated under law, and these organizations need to be able to provide proof of access controls and other measures to protect their data when asked to do so by inspectors and auditors.
In other settings, mandatory access control may not be required, but it can be helpful. Administrators can use it to keep users out of locations where they do not need to be, and to prevent issues like inadvertent settings changes made by users who are not knowledgeable about the computer system. In a situation where multiple people use a single computer terminal, mandatory access control can prevent unauthorized activities. It can also limit opportunities to send data to peripheral devices or processes in an attempt to work around security measures.