nerdexam
(ISC)2

CISSP · Question #921

The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover. Which access control mechanism would be preferre

The correct answer is D. Role-Based Access Control (RBAC). In environments with high employee turnover, Role-Based Access Control (RBAC) is preferred because permissions are assigned to roles rather than individuals, simplifying access management when staff frequently change.

Submitted by the_admin· Mar 5, 2026Identity and Access Management (IAM)

Question

The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover. Which access control mechanism would be preferred?

Options

  • AAttribute Based Access Control (ABAC)
  • BDiscretionary Access Control (DAC)
  • CMandatory Access Control (MAC)
  • DRole-Based Access Control (RBAC)

How the community answered

(25 responses)
  • A
    8% (2)
  • B
    16% (4)
  • C
    4% (1)
  • D
    72% (18)

Why each option

In environments with high employee turnover, Role-Based Access Control (RBAC) is preferred because permissions are assigned to roles rather than individuals, simplifying access management when staff frequently change.

AAttribute Based Access Control (ABAC)

ABAC grants access based on multiple attributes (user, resource, environment) evaluated dynamically, which adds administrative complexity that is counterproductive in a high-turnover environment where rapid, straightforward onboarding and offboarding is needed.

BDiscretionary Access Control (DAC)

DAC allows resource owners to set permissions on an individual, discretionary basis, which is difficult to manage consistently at scale and becomes a security liability in high-turnover environments where access assignments may not be promptly revoked.

CMandatory Access Control (MAC)

MAC enforces access based on system-defined sensitivity labels and clearance levels assigned by a central authority, making it rigid and complex to administer-it is typically used in government or military environments where strict data classification is paramount, not in dynamic IT workplaces with high turnover.

DRole-Based Access Control (RBAC)Correct

RBAC assigns permissions to predefined roles (e.g., 'Help Desk Technician' or 'Network Admin') rather than to individual users, so when an employee leaves or joins, administrators simply assign or revoke a role rather than reconfiguring individual permissions. This dramatically reduces administrative overhead in high-turnover environments, minimizing the risk of orphaned accounts or excessive privileges lingering after an employee departs.

Concept tested: Access control model selection for dynamic workforce environments

Source: https://csrc.nist.gov/projects/role-based-access-control

Topics

#Role-Based Access Control (RBAC)#access control models#employee turnover

Community Discussion

No community discussion yet for this question.

Full CISSP Practice