The authorization of a subjects access to an object depends upon labels, which indicate the subjects clearance, and the classification or sensitivity of the object.
For example, the military classifies documents as unclassified, confidential, secret, and top secret.
Similarly, an individual can receive a clearance of confidential, secret, or top secret and can have access to documents classified at or below his or her specified clearance level. Thus, an individual with a clearance of secret. can have access to secret and confidential documents with a restriction.
This restriction is that the individual must have a need to know relative to the classified documents involved.
Therefore, the documents must be necessary for that individual to complete an assigned task.
Even if the individual is cleared for a classification level of information, unless there is a need to know the individual should not access the information.
Rule-based access control is a type of mandatory access control because rules determine this access (such as the correspondence of clearance labels to classification labels), rather than the identity of the subjects and objects alone.