nerdexam
ExamsCV0-003Questions#598
CompTIA

CV0-003 · Question #598

CV0-003 Question #598: Real Exam Question with Answer & Explanation

The correct answer is D: Role-based. The sales group is incorrectly nested inside the finance group within the RBAC configuration, causing sales users to inherit finance role permissions and gain unauthorized access to the financial application.

Security

Question

A cloud administrator is reviewing the authentication and authorization mechanism implemented within the cloud environment. Upon review, the administrator discovers the sales group is part of the finance group, and the sales team members can access the financial application. Single sign- on is also implemented, which makes access much easier. Which of the following access control rules should be changed?

Options

  • ADiscretionary-based
  • BAttribute-based
  • CMandatory-based
  • DRole-based

Explanation

The sales group is incorrectly nested inside the finance group within the RBAC configuration, causing sales users to inherit finance role permissions and gain unauthorized access to the financial application.

Common mistakes.

  • A. Discretionary access control (DAC) delegates access decisions to individual resource owners rather than to centrally defined roles, which does not match the group-based inheritance model described in the scenario.
  • B. Attribute-based access control (ABAC) makes access decisions by evaluating dynamic attributes such as department, time of day, or location against policies - the issue here is static group nesting within a role structure, not attribute policy logic.
  • C. Mandatory access control (MAC) enforces access through system-assigned security labels and clearance levels, a model used primarily in classified government or military environments and not applicable to a commercial cloud role/group scenario.

Concept tested. RBAC group nesting and least-privilege misconfiguration

Reference. https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

Topics

#RBAC#access control#IAM#group membership

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CV0-003 Practice