Access control decisions cannot be changed by normal users.
- System wide set of enforced rules
- Normal (i.e. non root) users cannot change permissions ([[Control Schema]]) Offers stronger guarantees than [[Discretionary Access Control]] (does not trust normal users).