Mandatory access control (MAC) is an access control model in which a central authority assigns security labels to users and resources, and the system itself enforces who can access what. Users cannot change these permissions, even for files they create.
Mandatory access control (MAC) is one of the main models for deciding who gets to touch what on a system. The big idea: the system, not the user, makes the call. A central authority assigns a security label to every user and every resource (think classifications like Confidential, Secret, or Top Secret), and the operating system enforces the rules automatically. A user can't hand out access to a file just because they happen to own it.
That strictness is the whole point. MAC fits into Unit 4 under authentication and authorization, where the goal is making sure only authorized users reach a system (EK 4.2.C.1). Authentication proves who you are; access control models like MAC decide what you're allowed to do once you're in. Because permissions are locked down by policy and can't be overridden by ordinary users, MAC shows up in high-security environments like military and government systems where leaks are catastrophic. The Bell-LaPadula model is the classic formal version of MAC, built around the rule "no read up, no write down."
MAC lives in Unit 4: Securing Devices, tied to topic 4.2 Authentication. It supports learning objective AP Cybersecurity 4.2.C, where you determine the type of authentication and access used to verify and control a user. Authentication mechanisms (EK 4.2.C.1) confirm identity; access control models like MAC, DAC, and RBAC decide what that verified identity can do next. Knowing the difference between these models is exactly the kind of distinction the exam likes to test, because mixing them up means you'd recommend the wrong security control for a given scenario.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryDiscretionary access control (DAC) (Unit 4)
DAC is MAC's opposite. In DAC the resource owner decides who gets access (like setting permissions on your own Google Doc), while in MAC a central authority makes that call and users can't change it. Same job, opposite philosophy on who holds the power.
Bell-LaPadula model (Unit 4)
Bell-LaPadula is MAC written out as formal rules. It enforces confidentiality with "no read up, no write down," so someone with a low clearance can't read secret files and someone with a high clearance can't leak them down to a lower level. It's MAC's textbook example.
Role-based access control (RBAC) (Unit 4)
RBAC assigns permissions based on a person's job role rather than security labels. It sits between MAC and DAC in strictness, which is why exam scenarios often ask you to pick the right model for the situation.
Authentication factors (Unit 4)
Before any access model applies, you have to prove who you are using factors you know, have, are, or somewhere you are (EK 4.2.C.1). Authentication is the front door; MAC is the rulebook that decides which rooms you can enter once inside.
Expect MAC in multiple-choice stems that describe a scenario and ask you to name the access control model in use. The tell is language about a central authority, security labels or classification levels, and users being unable to change permissions. If the question mentions military or highly classified systems with rigid, system-enforced rules, MAC is usually the answer. You should be able to contrast it instantly with DAC (owner decides) and RBAC (role decides). No released FRQ has used this term verbatim, but understanding access models supports the kind of authorization reasoning that authentication questions reward.
The difference comes down to who controls access. In MAC, a central authority sets the rules and the system enforces them, so users can't share access even to their own files. In DAC, the owner of a resource decides who gets in, like choosing who can view your shared document. If the scenario says the owner grants access, it's DAC; if the system enforces fixed labels nobody can override, it's MAC.
Mandatory access control (MAC) means a central authority sets access rules and the system enforces them, so ordinary users cannot change permissions.
MAC uses security labels or classification levels (like Confidential, Secret, Top Secret) attached to both users and resources.
The Bell-LaPadula model is the classic formal version of MAC, enforcing confidentiality with 'no read up, no write down.'
MAC is the strictest common access model and shows up in high-security settings like military and government systems.
MAC controls what an authenticated user can do; it works alongside authentication, which proves who the user is (EK 4.2.C.1).
It's an access control model where a central authority assigns security labels to users and resources, and the system enforces who can access what. Users can't override these permissions, even for files they create. It maps to topic 4.2 Authentication in Unit 4.
No. That's the defining feature of MAC. Only the central authority sets and changes access rules, and the system enforces them automatically. If users could grant access themselves, you'd be describing discretionary access control (DAC) instead.
MAC puts a central authority in charge, using fixed security labels users can't override. DAC lets the resource owner decide who gets access, like sharing your own document. MAC is stricter and more centralized; DAC is more flexible but riskier for leaks.
Not exactly. MAC is the general model; Bell-LaPadula is a specific formal version of it focused on confidentiality, built on the rule 'no read up, no write down.' Bell-LaPadula is the textbook example you'd point to when describing MAC.
Use MAC when security and confidentiality must be enforced rigidly by classification level, like in military or government systems. RBAC assigns access by job role, which is more practical for everyday organizations. MAC trades flexibility for tight, system-enforced control.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.