nerdexam
(ISC)2

CISSP · Question #319

The core component of Role Based Access Control (RBAC) must be constructed of defined data elements. Which elements are required?

The correct answer is C. Users, roles, operations, and protected objects. RBAC is built on four core data elements: users (subjects), roles (collections of permissions), operations (actions), and protected objects (resources). These elements together define who can do what to which resources through role assignments.

Submitted by devops_kid· Mar 5, 2026Identity and Access Management

Question

The core component of Role Based Access Control (RBAC) must be constructed of defined data elements. Which elements are required?

Options

  • AUsers, permissions, operations, and protected objects
  • BRoles, accounts, permissions, and protected objects
  • CUsers, roles, operations, and protected objects
  • DRoles, operations, accounts, and protected objects

How the community answered

(22 responses)
  • A
    5% (1)
  • C
    86% (19)
  • D
    9% (2)

Why each option

RBAC is built on four core data elements: users (subjects), roles (collections of permissions), operations (actions), and protected objects (resources). These elements together define who can do what to which resources through role assignments.

AUsers, permissions, operations, and protected objects

Permissions are a derived concept in RBAC (the combination of operations and objects), not a core independent element alongside operations and protected objects; replacing 'roles' with 'permissions' also removes the fundamental grouping mechanism that defines RBAC.

BRoles, accounts, permissions, and protected objects

'Accounts' is not a standard RBAC core element - the correct term is 'users' (or subjects); additionally, substituting 'roles' for 'operations' removes the action component necessary to define what access is being controlled.

CUsers, roles, operations, and protected objectsCorrect

The canonical RBAC model as defined by NIST requires users (the human or system principals), roles (named collections of job functions), operations (the specific actions that can be performed), and protected objects (the resources being accessed). Users are assigned to roles, and roles are granted the ability to perform operations on protected objects, forming the complete access control chain.

DRoles, operations, accounts, and protected objects

'Accounts' is not a defined core element of the NIST RBAC model - 'users' is the correct term - and while roles and operations are present, replacing 'users' with 'accounts' makes this technically incorrect per the formal RBAC definition.

Concept tested: Core data elements of the RBAC model

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#RBAC#access control models#authorization#users and roles

Community Discussion

No community discussion yet for this question.

Full CISSP Practice