A system of access control that assigns security labels or classifications to system resources and allows access only to entities (people, processes, devices) with distinct levels of authorization or clearance. These controls are enforced by the operating system or security kernel. For example, the operating system will not convert a top secret document to a lower classification without a formal, documented process of declassification. Contrast with
discretionary access control and
role-based access control.