CAS-002 Question #679: Real Exam Question with Answer & Explanation

Question

Options

• AAuthorization of Role
• BAssignment of Roles
• CAssignment of Permission
• DAuthorization of Permission

Explanation

Role-based access control (or role-based security) is an approach to restricting system access to authorized users within an organization. In role-based access control, roles are created for various job functions. To perform certain operations, permissions are assigned to specific roles rather than individuals. Since users are not assigned permission directly, management of individual user rights becomes a matter of simply assigning appropriate roles to the user. There are three primary rules defined for RBAC: - Assignment of Roles: A subject can exercise a permission only if the subject has selected or been assigned a role. - Authorization of Role: A subjects active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. - Authorization of Permission: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized. According to the requirements of an organization, additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned Answer option C is incorrect. In role-based access control, no permission is assigned to a user directly. Instead, permissions are assigned to a role and that role is assigned to the user.

No community discussion yet for this question.