We're evaluating Alfresco ECM for an environment with strict security requirements. I understand Alfresco uses role-based access control (RBAC), but does it support Mandatory Access Control (MAC) natively? If not, what approaches are typically used to implement MAC-like security, and are there any limitations or best practices to consider?