The exam will describe MAC in a scenario without naming it. Three keywords trigger MAC as the answer:
- Government / military / classified — MAC is the access control model for government/military environments. Any scenario involving classified data, security clearances, or government classification labels = MAC.
- Classification labels (Confidential, Secret, Top Secret) — the presence of these specific terms in a scenario = MAC. No other model uses these labels.
- “Users cannot change permissions/labels” — the defining operational characteristic of MAC is that the OS enforces all decisions and users have zero discretion. If the scenario says users are prevented from modifying access controls, the model is MAC.
Common distractors to reject:
- “The administrator assigns users to groups” — this sounds like MAC but is actually RBAC. MAC uses classification label comparison, not group membership.
- “A Top Secret user can read a Secret file” — this IS MAC behavior (clearance level ≥ classification level = access granted).
This is the most commonly exploited confusion on the exam. Both RBAC and rule-based access control are "role" and "rule" based — candidates confuse them constantly. The distinction is simple:
- RBAC (Role-Based) — access determined by who you are (your role/group membership). A Finance employee gets Finance access. A physician gets patient record access. The decision is membership-based.
- Rule-Based — access determined by conditions being met (time, IP address, day of week, device type). The system evaluates rules in an ACL. Access requires the condition to be true, not a particular role.
Exam trigger phrases:
- “Group membership grants access” or “Active Directory security group” → RBAC
- “Access only from IP range X” or “only between hours Y” or “only on weekdays” → Rule-based
- “Firewall ACL” → Rule-based (ACLs are a rule-based mechanism)
They can coexist: A user must be in the Finance RBAC group AND connect from the corporate IP range (rule-based) to access the finance system. Real systems often combine both.
The exam signals ABAC by describing multiple different categories of attributes all being evaluated at the same time. Look for sentences that combine:
- Something about the USER (role, department, clearance) = subject attribute
- Something about the RESOURCE (type, classification, sensitivity) = object attribute
- Something about the CONTEXT (time, network, location, device) = environment attribute
- Something about the OPERATION (read, write, delete, share) = action attribute
Signal phrases:
- “Access changes depending on whether the user is on VPN or home Wi-Fi” → environment attribute = ABAC
- “The system evaluates role, time of day, network, and the specific operation being performed” → multi-category = ABAC
- “Zero-trust architecture” → always ABAC (zero-trust requires context-aware, multi-attribute access decisions)
- “Context-aware” or “next-generation access control” → ABAC
ABAC vs. Rule-based distinction: Rule-based typically evaluates one or two conditions (IP range, time). ABAC evaluates a full policy combining attributes from multiple categories simultaneously. If more than two attribute types are mentioned, lean toward ABAC.
Every DAC weakness question has the same answer structure: security failed because the owner made a poor access decision. Identify DAC weakness scenarios by these patterns:
- “An employee shared the folder with a colleague they trusted” → DAC — the owner chose to share
- “The user granted another department access to their files without IT approval” → DAC — no oversight of owner decisions
- “The file creator set permissions to allow everyone to read” → DAC — owner set overly permissive ACL
- “The employee mistakenly granted access to the wrong person” → DAC — owner error with no safety net
The fix the exam expects: switching from DAC to MAC removes owner discretion entirely. Under MAC, the employee cannot share the file even if they want to — only the admin can change access controls.
Remember: DAC is “discretionary” precisely because access is at the owner's discretion. The entire weakness is that the model depends on discretion being used correctly.