---
title: "Mandatory Access Control — AP Cybersecurity Definition"
description: "Mandatory access control (MAC) is a system-enforced access model where a central authority sets rules users can't override. Learn it for AP Cybersecurity Unit 4."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Mandatory Access Control — AP Cybersecurity Definition

## Definition

Mandatory access control (MAC) is an access control model in which a central authority assigns security labels to users and resources, and the system itself enforces who can access what. Users cannot change these permissions, even for files they create.

## What It Is

Mandatory access control (MAC) is one of the main models for deciding who gets to touch what on a system. The big idea: the system, not the user, makes the call. A central [authority](/ap-cybersecurity/key-terms/authority "fv-autolink") assigns a security label to every user and every resource (think classifications like *Confidential*, *Secret*, or *Top Secret*), and the [operating system](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink") enforces the rules automatically. A user can't hand out access to a file just because they happen to own it.

That strictness is the whole point. MAC fits into [Unit 4](/ap-cybersecurity/unit-4 "fv-autolink") under authentication and authorization, where the goal is making sure only authorized users reach a system (EK 4.2.C.1). Authentication proves *who you are*; access control models like MAC decide *what you're allowed to do* once you're in. Because permissions are locked down by policy and can't be overridden by ordinary users, MAC shows up in high-security environments like military and government systems where leaks are catastrophic. The Bell-LaPadula model is the classic formal version of MAC, built around the rule "no read up, no write down."

## Why It Matters

MAC lives in Unit 4: Securing Devices, tied to topic 4.2 [Authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink"). It supports learning objective [AP Cybersecurity](/ap-cybersecurity "fv-autolink") 4.2.C, where you determine the type of authentication and access used to verify and control a user. Authentication mechanisms (EK 4.2.C.1) confirm identity; access control models like MAC, DAC, and RBAC decide what that verified identity can do next. Knowing the difference between these models is exactly the kind of distinction the exam likes to test, because mixing them up means you'd recommend the wrong security control for a given scenario.

## Connections

### Discretionary access control (DAC) (Unit 4)

DAC is MAC's opposite. In DAC the resource owner decides who gets access (like setting permissions on your own Google Doc), while in MAC a central authority makes that call and users can't change it. Same job, opposite philosophy on who holds the power.

### [Bell-LaPadula model (Unit 4)](/ap-cybersecurity/key-terms/bell-lapadula-model)

Bell-LaPadula is MAC written out as formal rules. It enforces [confidentiality](/ap-cybersecurity/key-terms/confidentiality "fv-autolink") with "no read up, no write down," so someone with a low clearance can't read secret files and someone with a high clearance can't leak them down to a lower level. It's MAC's textbook example.

### Role-based access control (RBAC) (Unit 4)

[RBAC](/ap-cybersecurity/key-terms/rbac "fv-autolink") assigns permissions based on a person's job role rather than security labels. It sits between MAC and DAC in strictness, which is why exam scenarios often ask you to pick the right model for the situation.

### Authentication factors (Unit 4)

Before any access model applies, you have to prove who you are using factors you know, have, are, or somewhere you are (EK 4.2.C.1). Authentication is the front door; MAC is the rulebook that decides which rooms you can enter once inside.

## On the AP Exam

Expect MAC in multiple-choice stems that describe a scenario and ask you to name the access control model in use. The tell is language about a central authority, security labels or classification levels, and users being unable to change permissions. If the question mentions military or highly classified systems with rigid, system-enforced rules, MAC is usually the answer. You should be able to contrast it instantly with DAC (owner decides) and RBAC (role decides). No released FRQ has used this term verbatim, but understanding access models supports the kind of authorization reasoning that authentication questions reward.

## mandatory access control vs Discretionary access control (DAC)

The difference comes down to who controls access. In MAC, a central authority sets the rules and the system enforces them, so users can't share access even to their own files. In DAC, the owner of a resource decides who gets in, like choosing who can view your shared document. If the scenario says the owner grants access, it's DAC; if the system enforces fixed labels nobody can override, it's MAC.

## Key Takeaways

- Mandatory access control (MAC) means a central authority sets access rules and the system enforces them, so ordinary users cannot change permissions.
- MAC uses security labels or classification levels (like Confidential, Secret, Top Secret) attached to both users and resources.
- The Bell-LaPadula model is the classic formal version of MAC, enforcing confidentiality with 'no read up, no write down.'
- MAC is the strictest common access model and shows up in high-security settings like military and government systems.
- MAC controls what an authenticated user can do; it works alongside authentication, which proves who the user is (EK 4.2.C.1).

## FAQs

### What is mandatory access control in AP Cybersecurity?

It's an [access control model](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 "fv-autolink") where a central authority assigns security labels to users and resources, and the system enforces who can access what. Users can't override these permissions, even for files they create. It maps to topic 4.2 Authentication in Unit 4.

### Can users change permissions under mandatory access control?

No. That's the defining feature of MAC. Only the central authority sets and changes access rules, and the system enforces them automatically. If users could grant access themselves, you'd be describing discretionary access control (DAC) instead.

### How is MAC different from DAC?

MAC puts a central authority in charge, using fixed security labels users can't override. DAC lets the resource owner decide who gets access, like sharing your own document. MAC is stricter and more centralized; DAC is more flexible but riskier for leaks.

### Is mandatory access control the same as the Bell-LaPadula model?

Not exactly. MAC is the general model; Bell-LaPadula is a specific formal version of it focused on confidentiality, built on the rule 'no read up, no write down.' Bell-LaPadula is the textbook example you'd point to when describing MAC.

### When would a system use MAC over RBAC?

Use MAC when security and confidentiality must be enforced rigidly by classification level, like in military or government systems. RBAC assigns access by job role, which is more practical for everyday organizations. MAC trades flexibility for tight, system-enforced control.

## Related Study Guides

- [4.2 Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control#resource","name":"Mandatory Access Control — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:32.060Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control#term","name":"mandatory access control","description":"Mandatory access control (MAC) is an access control model in which a central authority assigns security labels to users and resources, and the system itself enforces who can access what. Users cannot change these permissions, even for files they create.","url":"https://fiveable.me/ap-cybersecurity/key-terms/mandatory-access-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is mandatory access control in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's an [access control model](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 \"fv-autolink\") where a central authority assigns security labels to users and resources, and the system enforces who can access what. Users can't override these permissions, even for files they create. It maps to topic 4.2 Authentication in Unit 4."}},{"@type":"Question","name":"Can users change permissions under mandatory access control?","acceptedAnswer":{"@type":"Answer","text":"No. That's the defining feature of MAC. Only the central authority sets and changes access rules, and the system enforces them automatically. If users could grant access themselves, you'd be describing discretionary access control (DAC) instead."}},{"@type":"Question","name":"How is MAC different from DAC?","acceptedAnswer":{"@type":"Answer","text":"MAC puts a central authority in charge, using fixed security labels users can't override. DAC lets the resource owner decide who gets access, like sharing your own document. MAC is stricter and more centralized; DAC is more flexible but riskier for leaks."}},{"@type":"Question","name":"Is mandatory access control the same as the Bell-LaPadula model?","acceptedAnswer":{"@type":"Answer","text":"Not exactly. MAC is the general model; Bell-LaPadula is a specific formal version of it focused on confidentiality, built on the rule 'no read up, no write down.' Bell-LaPadula is the textbook example you'd point to when describing MAC."}},{"@type":"Question","name":"When would a system use MAC over RBAC?","acceptedAnswer":{"@type":"Answer","text":"Use MAC when security and confidentiality must be enforced rigidly by classification level, like in military or government systems. RBAC assigns access by job role, which is more practical for everyday organizations. MAC trades flexibility for tight, system-enforced control."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"mandatory access control"}]}]}
```
