A central authority determines what subjects can have access to certain objects based on the organizational security policy.

The access controls might be based on the individuals role in the organization (role-based) or the subjects responsibilities and duties (task-based). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individuals role or title within the organization.

These access controls do not need to be changed whenever a new person takes over that role.

Another type of non-discretionary access control is lattice-based access control. In this type of control, a lattice model is applied. In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access control, the pair of elements is the subject and object, and the subject has the greatest lower bound and the least upper bound of access rights to an object.