Which one of the following access control models associates every resource and every user of a resource with one of an ordered set of classes?
What scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples?