The authorization of a subjects access to an object depends upon labels, which indicate the subjects clearance, and the classification or sensitivity of the object.

For example, the military classifies documents as unclassified, confidential, secret, and top secret.

Similarly, an individual can receive a clearance of confidential, secret, or top secret and can have access to documents classified at or below his or her specified clearance level. Thus, an individual with a clearance of secret. can have access to secret and confidential documents with a restriction.

This restriction is that the individual must have a need to know relative to the classified documents involved.

Therefore, the documents must be necessary for that individual to complete an assigned task.

Even if the individual is cleared for a classification level of information, unless there is a need to know the individual should not access the information.

Rule-based access control is a type of mandatory access control because rules determine this access (such as the correspondence of clearance labels to classification labels), rather than the identity of the subjects and objects alone.