What does Mandatory Access Control restrict access based on?

Mandatory Access Control (MAC) restricts access based on the principle of "need to know." This model is designed to protect sensitive information by enforcing a predetermined access control structure that does not change based on user discretion or requests. In MAC, the access rights are assigned by a central authority, and the permissions are determined by the classification of the data and the user's clearance level.

This approach ensures that users only have access to the information necessary for their specific roles or tasks, minimizing the risk of unauthorized disclosure of sensitive data. By establishing strict rules regarding who can access what information, MAC is particularly effective in environments where safeguarding classified or highly sensitive data is critical, such as government agencies or military installations.

In contrast, other options do not align with the foundational principles of MAC. Job performance could lead to a subjective evaluation of access needs; organizational policy pertains to broader operational guidelines that may not strictly enforce access controls; and user requests introduce variability that contradicts the rigid structure characteristic of mandatory access control systems.