CISSP · Question #319
The core component of Role Based Access Control (RBAC) must be constructed of defined data elements. Which elements are required?
The correct answer is C. Users, roles, operations, and protected objects. RBAC is built on four core data elements: users (subjects), roles (collections of permissions), operations (actions), and protected objects (resources). These elements together define who can do what to which resources through role assignments.
Question
Options
- AUsers, permissions, operations, and protected objects
- BRoles, accounts, permissions, and protected objects
- CUsers, roles, operations, and protected objects
- DRoles, operations, accounts, and protected objects
How the community answered
(22 responses)- A5% (1)
- C86% (19)
- D9% (2)
Why each option
RBAC is built on four core data elements: users (subjects), roles (collections of permissions), operations (actions), and protected objects (resources). These elements together define who can do what to which resources through role assignments.
Permissions are a derived concept in RBAC (the combination of operations and objects), not a core independent element alongside operations and protected objects; replacing 'roles' with 'permissions' also removes the fundamental grouping mechanism that defines RBAC.
'Accounts' is not a standard RBAC core element - the correct term is 'users' (or subjects); additionally, substituting 'roles' for 'operations' removes the action component necessary to define what access is being controlled.
The canonical RBAC model as defined by NIST requires users (the human or system principals), roles (named collections of job functions), operations (the specific actions that can be performed), and protected objects (the resources being accessed). Users are assigned to roles, and roles are granted the ability to perform operations on protected objects, forming the complete access control chain.
'Accounts' is not a defined core element of the NIST RBAC model - 'users' is the correct term - and while roles and operations are present, replacing 'users' with 'accounts' makes this technically incorrect per the formal RBAC definition.
Concept tested: Core data elements of the RBAC model
Source: https://csrc.nist.gov/projects/role-based-access-control
Topics
Community Discussion
No community discussion yet for this question.