nerdexam
(ISC)2

CISSP-ISSAP · Question #113

An organization has implemented a hierarchical-based concept of privilege management in which administrators have full access, HR managers have less permission than the administrators, and data entry

The correct answer is A. Role-based access control (RBAC). Role-Based Access Control (RBAC) assigns permissions based on a user's organizational role - exactly what the scenario describes, where administrators, HR managers, and data entry operators each inherit a distinct permission tier tied to their job function, not their individual i

Identity and Access Management (IAM) Architecture

Question

An organization has implemented a hierarchical-based concept of privilege management in which administrators have full access, HR managers have less permission than the administrators, and data entry operators have no access to resources. Which of the following access control models is implemented in the organization?

Options

  • ARole-based access control (RBAC)
  • BNetwork-based access control (NBAC)
  • CMandatory Access Control (MAC)
  • DDiscretionary access control (DAC)

How the community answered

(16 responses)
  • A
    88% (14)
  • C
    6% (1)
  • D
    6% (1)

Explanation

Role-Based Access Control (RBAC) assigns permissions based on a user's organizational role - exactly what the scenario describes, where administrators, HR managers, and data entry operators each inherit a distinct permission tier tied to their job function, not their individual identity. NBAC (B) is a fabricated term not recognized as a standard access control model, making it an obvious distractor. MAC (C) is wrong because it uses system-enforced security labels (like Top Secret/Confidential) rather than job roles, and users cannot alter permissions - common in government/military systems, not HR hierarchies. DAC (D) is wrong because it allows resource owners to grant permissions at their own discretion, meaning there's no centralized, role-driven enforcement.

Memory tip: Think "RBAC = Roles on an org chart." If you can draw the access structure as a company hierarchy with job titles, it's RBAC.

Topics

#RBAC#Access Control Models#Privilege Management#Role Hierarchy

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice