nerdexam
(ISC)2

CISSP · Question #583

Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?

The correct answer is C. Role mining to define common access patterns is performed.. In RBAC implementation, the planning phase is most critical because role mining-the process of analyzing existing access patterns to define roles-forms the entire structural foundation of the RBAC model.

Submitted by takeshi77· Mar 5, 2026Identity and Access Management (IAM)

Question

Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?

Options

  • AThe criteria for measuring risk is defined.
  • BUser populations to be assigned to each role is determined.
  • CRole mining to define common access patterns is performed.
  • DThe foundational criteria are defined.

How the community answered

(22 responses)
  • B
    5% (1)
  • C
    91% (20)
  • D
    5% (1)

Why each option

In RBAC implementation, the planning phase is most critical because role mining-the process of analyzing existing access patterns to define roles-forms the entire structural foundation of the RBAC model.

AThe criteria for measuring risk is defined.

Defining risk measurement criteria is a risk management activity, not a core component of RBAC planning, which focuses on defining roles and access assignments rather than risk metrics.

BUser populations to be assigned to each role is determined.

Assigning user populations to roles is an implementation/execution activity that occurs after roles have already been defined through role mining in the planning phase.

CRole mining to define common access patterns is performed.Correct

Role mining is the analytical process performed during planning where existing user access patterns, entitlements, and job functions are examined to identify and define meaningful roles. Without properly mined roles that reflect real access needs, the entire RBAC structure will be flawed, leading to either over-provisioning or under-provisioning of access. This makes planning the most critical phase because errors here propagate through every subsequent phase of implementation.

DThe foundational criteria are defined.

While foundational criteria are indeed defined during planning, this answer is too vague and does not identify the specific, technically critical activity (role mining) that makes planning the most important phase of RBAC implementation.

Concept tested: RBAC implementation planning and role mining process

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#RBAC implementation#Access control planning#Role mining

Community Discussion

No community discussion yet for this question.

Full CISSP Practice