Privilege-mac is the acronym for mandatory access control. it is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. in this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). it requires labeling. in mac, subjects (such as users) are each assigned a clearance (such as secret or top secret). objects (containers for information, such as files) are assigned a sensitivity (classification, similar to clearance). when determining whether or not to grant a subject access to an object, the requesting subjects clearance is compared with the sensitivity of the object, and if the clearance is at or higher than the objects sensitivity level, access is granted. therefore, a clearance functions as a privilege.
