Mandatory access control (MAC) – With mandatory access control, access is restricted based on the sensitivity of the information and the authorization of the user. These controls cannot be bypassed or altered by anyone other than an authorized security administrator. Security labels (tags) are used to define the sensitivity of each file or data object. The label denotes the level or classification of the information (such as top secret, secret, sensitive, etc.), and indicates to which category within that level (such as Project A or Project B) the information belongs. Security administrators also assign security labels to users, who can only access or enter data that is labeled at the same or at a lower level.

Discretionary access control (DAC) – In addition to mandatory controls, MLS systems allow for some degree of discretionary access control. This is accomplished through the use of access control lists that identify the users that can access a given resource and their level of authority (e.g. read, update, delete) with regard to that resource. Both the resource owner and the security administrator can determine who can access the resource and with what authority.

Auditing – Audit records associate security-related events (such as file access) with the user that caused the event. The audit record uses the security label to show when the data was accessed, the level of authority that was required and the actions that were taken.

Identification and authentication – Each MLS system user is assigned an identity that corresponds to that user’s security label. Typically, user identities are verified through the Logon and Logoff commands and are used to maintain the audit trail.

Hardcopy labeling – In an MLS environment, the system prints a security notation indicating the security level on each page of hardcopy output. It also creates corresponding electronic labels for the data file.

Name-hiding – The names of files, data sets and directories are only displayed to users with access authority. Users without a "need-to-know" will not see the file or object listed or displayed.

Write-down prevention – To prevent users from declassifying data, an MLS system prohibits users from writing new data at a lower level of classification than their own label designation. In other words, a user with a top-secret classification can only create new data with a top-secret label. The user cannot ‘write down’ the data by labeling it secret or sensitive, in order to grant access to users with less than a top-secret designation.

Row-level security – Relational database users can be restricted to a specific set of rows by assigning each row a security label. Users with lower designations can still perform queries against the database, but the query results will not include any data from rows classified above that users’ security designation. This permits databases to be shared by users with various levels of security clearance without limiting the database to less sensitive data or compromising any highly sensitive data that it may contain.

Federated queries – Users can issue queries across multiple databases and then store the combined results in an MLS database, which assigns them the appropriate security designation. Other users with varying levels of security classifications can query the MLS database and access data cleared for their level of clearance.

Bit-map checks – All resources and devices within an MLS environment receive a security label. Bit-map checks are performed against requests to use the device. For example, if a print request by an authorized user is made to print a top secret document on a particular printer, a bit map check will compare the device’s clearance level with the document’s. If they match, permission will be granted; if not, it will be denied.