Certified: The Security+ Prepcast

Controlling who has access to what—and under which circumstances—is one of the most fundamental challenges in cybersecurity. That challenge is addressed through access control models, which define how permissions are assigned, enforced, and audited across systems. Whether you're securing a single file or an entire enterprise network, choosing the right access control model can have a major impact on your organization’s security posture. In this episode, we begin our two-part look at access control models by focusing on two of the most widely discussed frameworks: Mandatory Access Control, or M A C, and Discretionary Access Control, or D A C.
Let’s begin with Mandatory Access Control. Mandatory Access Control is a highly structured and policy-driven model in which access decisions are determined by a central authority, based on predefined rules and classification levels. In a M A C environment, users cannot change permissions on files or resources—they can only access what the policy allows, based on their assigned clearance and the sensitivity of the resource.
M A C systems rely on labels. Every user is assigned a security clearance, and every object—such as a file or directory—is assigned a classification label. Examples of labels might include public, confidential, secret, or top secret. The access control policy defines which clearances can access which classifications. These rules are enforced by the system and cannot be changed by users or owners of the resources.
Mandatory Access Control is used in environments where data confidentiality and integrity are absolutely critical. This includes military, government, and classified research environments. The model is designed to prevent both unauthorized access and improper information flow between classification levels.
Let’s explore a real-world example. A defense agency uses a M A C model to secure documents related to national security. A user with a secret-level clearance can access documents marked secret or lower—but cannot access top secret materials. Even if the user created the document, they cannot share it with someone who lacks the appropriate clearance. Likewise, they cannot lower the classification of the document or grant exceptions. All access decisions are enforced by the system’s security policy.
Another important characteristic of M A C is that it supports data separation. For example, a project team working on a classified initiative might have access to a specific set of systems and data—but their environment is logically isolated from other teams, even if both are within the same organization. This minimizes the risk of data leakage between compartments.
Mandatory Access Control is often implemented in conjunction with operating systems that support mandatory policy enforcement—such as Security-Enhanced Linux. These systems use security labels and rules to strictly define which users and processes can interact with which objects. The policies are centrally managed, difficult to override, and designed to withstand insider threats.
However, M A C is not without limitations. The rigidity of the model can make it difficult to manage in dynamic environments. It requires careful classification of data, clear policies, and extensive training. Making changes to access rights typically involves going through administrative channels and updating system-wide policies. That’s why M A C is most effective in high-security, low-change environments—where control and consistency matter more than speed and flexibility.
Now let’s turn to Discretionary Access Control. D A C is a much more flexible and user-centric model. In a D A C environment, the owner of a resource—such as a file or directory—has the authority to determine who can access it and what they can do with it. Permissions are typically granted based on user identities or group memberships.
D A C is used widely in consumer and business operating systems, such as Windows and macOS. When you right-click on a file and assign read or write permissions to another user, you’re applying Discretionary Access Control. The system trusts the owner to manage access appropriately.
The main benefit of D A C is ease of use. It allows individuals to collaborate and share resources without needing administrator intervention. It also supports more granular control, since users can customize permissions at the individual object level. In business environments, D A C makes it easy for teams to manage shared folders, documents, and project spaces.
Let’s look at a practical example. In a corporate file server, a marketing manager creates a folder for an upcoming campaign. Using D A C controls, they grant read and write access to the design and communications teams, and read-only access to executive leadership. They control who can see and modify the files, and they can adjust those permissions at any time without involving the IT department. This flexibility allows for quick collaboration and workflow management.
However, D A C also introduces risk. Because users control access to their own resources, they may grant permissions too broadly, either by mistake or out of convenience. For example, a user might accidentally give full control of a sensitive spreadsheet to everyone in the company. Or they may forget to revoke access after a project ends.
Another concern with D A C is the potential for privilege escalation. If an attacker compromises a user account, they gain all of that user’s permissions—and possibly access to other shared resources the user controls. Since users can change permissions themselves, an attacker may be able to expand access even further, especially if permissions were set loosely in the first place.
To mitigate these risks, organizations that use D A C should combine it with monitoring, auditing, and periodic access reviews. IT teams should educate users on permission hygiene, configure default permission templates, and apply policies to prevent overly permissive access to sensitive systems.
Some environments use D A C in combination with centralized role-based access models. In this hybrid approach, baseline access is assigned based on role, while users retain the ability to fine-tune access to their own resources. This provides a balance between control and flexibility—but it still requires oversight.
To summarize, access control models define how permissions are assigned and enforced. Mandatory Access Control is rigid, centrally enforced, and highly secure—ideal for high-security environments where data classification and access consistency are critical. Discretionary Access Control is more flexible, user-managed, and collaboration-friendly—common in everyday operating systems and business applications. Each model has strengths and trade-offs, and choosing the right one depends on your organization’s security priorities and operational needs.
For the Security Plus exam, expect to answer questions about the differences between M A C and D A C, when each is appropriate, and what risks they help mitigate. You may also see scenario-based questions where you must choose the best access control model for a given organization or security requirement. Review terms like data owner, security label, classification level, privilege escalation, and access rights inheritance—they’re all part of understanding how access is managed across systems.
To continue preparing for the exam, visit us at Bare Metal Cyber dot com. You’ll find previous episodes, downloadable checklists, and a free newsletter to support your study process. And when you’re ready to pass with confidence, visit Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the most complete and efficient resource for mastering every domain and earning your certification.