nerdexam
(ISC)2

CISSP-ISSAP · Question #22

In which of the following access control models can a user not grant permissions to other users to see a copy of an object marked as secret that he has received, unless they have the appropriate permi

The correct answer is C. Mandatory Access Control (MAC). Mandatory Access Control (MAC) enforces access based on system-defined security labels (e.g., "Secret") and user clearance levels - the system itself decides who can access what, and individual users have no authority to grant permissions to others, regardless of their own access

Identity and Access Management (IAM) Architecture

Question

In which of the following access control models can a user not grant permissions to other users to see a copy of an object marked as secret that he has received, unless they have the appropriate permissions?

Options

  • ADiscretionary Access Control (DAC)
  • BRole Based Access Control (RBAC)
  • CMandatory Access Control (MAC)
  • DAccess Control List (ACL)

How the community answered

(21 responses)
  • A
    5% (1)
  • B
    14% (3)
  • C
    76% (16)
  • D
    5% (1)

Explanation

Mandatory Access Control (MAC) enforces access based on system-defined security labels (e.g., "Secret") and user clearance levels - the system itself decides who can access what, and individual users have no authority to grant permissions to others, regardless of their own access. DAC (A) is wrong because it explicitly allows resource owners to share access at their discretion - the opposite of what the question describes. RBAC (B) controls access through roles assigned by administrators, but the question is about peer-to-peer permission delegation, which RBAC doesn't address this way. ACL (D) is a mechanism for implementing access control, not a model in itself, and ACLs can often be modified by owners to extend access.

Memory tip: Think of MAC = Military/Mandatory - in classified environments, you can't just hand your secret document to a coworker; the system enforces clearance levels, not the user.

Topics

#Mandatory Access Control (MAC)#Access Control Models#Permission Delegation#Security Labels

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice