For a discretionary access control to be effective, it must:
A.
operate within the context of mandatory access controls.
B.
operate independently of mandatory access controls.
C.
enable users to override mandatory access controls when necessary.
D.
be specifically permitted by the security policy.
Explanation:
Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility. Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.