nerdexam
(ISC)2

CISSP · Question #224

A security professional is asked to provide a solution that restricts a bank teller to only perform a savings deposit transaction but allows a supervisor to perform corrections after the transaction.

The correct answer is C. Access is based on user's role.. This question tests knowledge of access control models, specifically which model best supports job-function-based permissions for different user types in an organization.

Submitted by ahmad_uae· Mar 5, 2026Identity and Access Management

Question

A security professional is asked to provide a solution that restricts a bank teller to only perform a savings deposit transaction but allows a supervisor to perform corrections after the transaction. Which of the following is the MOST effective solution?

Options

  • AAccess is based on rules.
  • BAccess is determined by the system.
  • CAccess is based on user's role.
  • DAccess is based on data sensitivity.

How the community answered

(32 responses)
  • A
    13% (4)
  • B
    3% (1)
  • C
    81% (26)
  • D
    3% (1)

Why each option

This question tests knowledge of access control models, specifically which model best supports job-function-based permissions for different user types in an organization.

AAccess is based on rules.

Rule-based access control applies access decisions based on predefined system rules (such as time-of-day or IP restrictions), not on a user's organizational job function or title.

BAccess is determined by the system.

Mandatory Access Control (MAC), where access is determined by the system using labels and classifications, is typically used in government/military contexts and does not align permissions to job roles like teller or supervisor.

CAccess is based on user's role.Correct

Role-Based Access Control (RBAC) assigns permissions based on a user's job role rather than individual identity. In this scenario, the 'bank teller' role is granted only deposit transaction rights, while the 'supervisor' role is granted additional correction privileges - perfectly matching RBAC's design principle of aligning access rights to organizational functions.

DAccess is based on data sensitivity.

Attribute-Based or sensitivity-based access control restricts access according to the classification level of data (e.g., confidential, public), not according to what transactional actions a specific job role is permitted to perform.

Concept tested: Role-Based Access Control (RBAC) model selection

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#Role-Based Access Control (RBAC)#access control models#authorization

Community Discussion

No community discussion yet for this question.

Full CISSP Practice