CISSP-ISSAP · Question #22
In which of the following access control models can a user not grant permissions to other users to see a copy of an object marked as secret that he has received, unless they have the appropriate permi
The correct answer is C. Mandatory Access Control (MAC). Mandatory Access Control (MAC) enforces access based on system-defined security labels (e.g., "Secret") and user clearance levels - the system itself decides who can access what, and individual users have no authority to grant permissions to others, regardless of their own access
Question
In which of the following access control models can a user not grant permissions to other users to see a copy of an object marked as secret that he has received, unless they have the appropriate permissions?
Options
- ADiscretionary Access Control (DAC)
- BRole Based Access Control (RBAC)
- CMandatory Access Control (MAC)
- DAccess Control List (ACL)
How the community answered
(21 responses)- A5% (1)
- B14% (3)
- C76% (16)
- D5% (1)
Explanation
Mandatory Access Control (MAC) enforces access based on system-defined security labels (e.g., "Secret") and user clearance levels - the system itself decides who can access what, and individual users have no authority to grant permissions to others, regardless of their own access. DAC (A) is wrong because it explicitly allows resource owners to share access at their discretion - the opposite of what the question describes. RBAC (B) controls access through roles assigned by administrators, but the question is about peer-to-peer permission delegation, which RBAC doesn't address this way. ACL (D) is a mechanism for implementing access control, not a model in itself, and ACLs can often be modified by owners to extend access.
Memory tip: Think of MAC = Military/Mandatory - in classified environments, you can't just hand your secret document to a coworker; the system enforces clearance levels, not the user.
Topics
Community Discussion
No community discussion yet for this question.