nerdexam
(ISC)2

CISSP · Question #725

An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type

The correct answer is A. Role-based access control (RBAC). Role-based access control (RBAC) is the best mechanism for simplifying permission assignment for users with similar job responsibilities by grouping permissions into roles rather than assigning them individually.

Submitted by wei.xz· Mar 5, 2026Identity and Access Management

Question

An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type of authorization mechanism would be the BEST choice for the organization to implement?

Options

  • ARole-based access control (RBAC)
  • BDiscretionary access control (DAC)
  • CContent-dependent Access Control
  • DRule-based Access Control

How the community answered

(38 responses)
  • A
    92% (35)
  • B
    5% (2)
  • D
    3% (1)

Why each option

Role-based access control (RBAC) is the best mechanism for simplifying permission assignment for users with similar job responsibilities by grouping permissions into roles rather than assigning them individually.

ARole-based access control (RBAC)Correct

RBAC assigns permissions to roles (e.g., 'Manager', 'Analyst') rather than to individual users, so administrators simply assign users to appropriate roles based on their job function. This significantly reduces administrative overhead when many users share similar responsibilities, as changing a role's permissions automatically updates access for all members of that role.

BDiscretionary access control (DAC)

Discretionary Access Control (DAC) allows resource owners to individually grant or restrict access to their own resources, which does not simplify bulk permission assignment for groups of users with similar roles.

CContent-dependent Access Control

Content-dependent Access Control makes authorization decisions based on the actual content or data being accessed (e.g., a database field value), not on user job responsibilities, making it unsuitable for simplifying user permission assignments.

DRule-based Access Control

Rule-based Access Control applies access decisions based on predefined system-wide rules or conditions (e.g., time of day, IP address), rather than grouping users by job function, so it does not simplify managing permissions for users with similar responsibilities.

Concept tested: Role-based access control for grouped user permissions

Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

Topics

#role-based access control (RBAC)#authorization#access control models

Community Discussion

No community discussion yet for this question.

Full CISSP Practice