CISSP · Question #224
A security professional is asked to provide a solution that restricts a bank teller to only perform a savings deposit transaction but allows a supervisor to perform corrections after the transaction.
The correct answer is C. Access is based on user's role.. This question tests knowledge of access control models, specifically which model best supports job-function-based permissions for different user types in an organization.
Question
Options
- AAccess is based on rules.
- BAccess is determined by the system.
- CAccess is based on user's role.
- DAccess is based on data sensitivity.
How the community answered
(32 responses)- A13% (4)
- B3% (1)
- C81% (26)
- D3% (1)
Why each option
This question tests knowledge of access control models, specifically which model best supports job-function-based permissions for different user types in an organization.
Rule-based access control applies access decisions based on predefined system rules (such as time-of-day or IP restrictions), not on a user's organizational job function or title.
Mandatory Access Control (MAC), where access is determined by the system using labels and classifications, is typically used in government/military contexts and does not align permissions to job roles like teller or supervisor.
Role-Based Access Control (RBAC) assigns permissions based on a user's job role rather than individual identity. In this scenario, the 'bank teller' role is granted only deposit transaction rights, while the 'supervisor' role is granted additional correction privileges - perfectly matching RBAC's design principle of aligning access rights to organizational functions.
Attribute-Based or sensitivity-based access control restricts access according to the classification level of data (e.g., confidential, public), not according to what transactional actions a specific job role is permitted to perform.
Concept tested: Role-Based Access Control (RBAC) model selection
Source: https://csrc.nist.gov/projects/role-based-access-control
Topics
Community Discussion
No community discussion yet for this question.