nerdexam
(ISC)2

CAP · Question #399

Which of the following statements about role-based access control (RBAC) model is true?

The correct answer is B. In this model, a user can access resources according to his role in the organization.. Role-Based Access Control (RBAC) grants users permissions based on their assigned organizational role rather than on individual account-level settings.

Implementation of Security and Privacy Controls

Question

Which of the following statements about role-based access control (RBAC) model is true?

Options

  • AIn this model, the permissions are uniquely assigned to each user account.
  • BIn this model, a user can access resources according to his role in the organization.
  • CIn this model, the same permission is assigned to each user account.
  • DIn this model, the users canaccess resources according to their seniority.

How the community answered

(26 responses)
  • A
    4% (1)
  • B
    92% (24)
  • D
    4% (1)

Why each option

Role-Based Access Control (RBAC) grants users permissions based on their assigned organizational role rather than on individual account-level settings.

AIn this model, the permissions are uniquely assigned to each user account.

Uniquely assigning permissions to each individual user account describes Discretionary Access Control (DAC), not RBAC, because RBAC attaches permissions to roles rather than to individual accounts.

BIn this model, a user can access resources according to his role in the organization.Correct

In RBAC, permissions are assigned to roles that reflect job functions, and users gain access rights by being assigned to the appropriate role. This approach enforces least privilege based on organizational responsibilities, simplifies access administration, and ensures consistent policy enforcement across users with the same function.

CIn this model, the same permission is assigned to each user account.

Assigning the same permission to every user account describes an undifferentiated access model with no meaningful access control, which is neither RBAC nor a recognized secure access model.

DIn this model, the users canaccess resources according to their seniority.

Granting access based on seniority or rank is not a standard access control model; RBAC is based on job function and role assignment, not on hierarchical organizational tenure.

Concept tested: Role-Based Access Control (RBAC) model definition

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#Role-Based Access Control (RBAC)#Access Control Models#Permissions#Roles

Community Discussion

No community discussion yet for this question.

Full CAP Practice