nerdexam
(ISC)2

CISSP · Question #150

Refer to the information below to answer the question. A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classific

The correct answer is C. Role Based Access Control (RBAC). The scenario describes application access granted based on job classification, which is the defining characteristic of Role Based Access Control (RBAC). RBAC assigns permissions to roles (job functions) rather than to individual users.

Submitted by devops_kid· Mar 5, 2026Identity and Access Management

Question

Refer to the information below to answer the question. A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes. Which of the following BEST describes the access control methodology used?

Options

  • ALeast privilege
  • BLattice Based Access Control (LBAC)
  • CRole Based Access Control (RBAC)
  • DLightweight Directory Access Control (LDAP)

How the community answered

(46 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    83% (38)
  • D
    11% (5)

Why each option

The scenario describes application access granted based on job classification, which is the defining characteristic of Role Based Access Control (RBAC). RBAC assigns permissions to roles (job functions) rather than to individual users.

ALeast privilege

Least privilege is a security principle that limits user access to only what is necessary for their job, but it is not itself an access control methodology or model that defines how access decisions are structured.

BLattice Based Access Control (LBAC)

Lattice Based Access Control (LBAC) is a model that uses a lattice structure of sensitivity labels and clearance levels to govern access, typically associated with mandatory access control (MAC) environments, not job-classification-based role assignments.

CRole Based Access Control (RBAC)Correct

Role Based Access Control (RBAC) grants access to resources based on a user's role or job classification within the organization, which directly matches the scenario's statement that 'application access is based on job classification.' In RBAC, administrators define roles aligned to job functions and assign permissions to those roles, so users inherit access rights through their assigned role rather than receiving individual permissions.

DLightweight Directory Access Control (LDAP)

LDAP (Lightweight Directory Access Protocol) is a network protocol used to query and modify directory services such as Active Directory, not an access control methodology or model that defines how permissions are assigned.

Concept tested: Role Based Access Control (RBAC) model identification

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#RBAC#access control models#job classification#permissions

Community Discussion

No community discussion yet for this question.

Full CISSP Practice