Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Non Discretionary Access Controlinclude Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC).RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already.
Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.
Discretionary Access control is for environment with very low level of security.There is no control on the dissemination of the information.A user who has access to a file can copy the file or further share it with other users.
Rule Based Access Control is when you have ONE set of rules applied uniformly to all users.A good example would be a firewall at the edge of your network.A single rule based is applied against any packets received from the internet.
Mandatory Access Control is a very rigid type of access control.The subject must dominate the object and the subject must have a Need To Know to access the information.Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK)
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
The access control type that has a central authority that determines to what objects the subjects have access to based on role or the organizational security policy is Non-Discretionary Access Control.
Non-Discretionary Access Control is a form of access control that is based on the system owner's security policy, and access is granted or denied based on predefined rules or roles. It is sometimes also referred to as Role-Based Access Control (RBAC).
In Non-Discretionary Access Control, the central authority defines specific roles within an organization and assigns permissions or access rights to those roles. Users are then assigned to those roles, and their access rights are automatically defined based on the permissions associated with that role. Access control decisions are made based on the user's role and not on the individual's identity.
Non-Discretionary Access Control is commonly used in large organizations where access to resources needs to be managed centrally, and access needs to be granted or denied automatically based on predefined rules. This type of access control provides a high level of security because it is based on the organization's security policy, and users cannot grant themselves access beyond what is allowed for their assigned roles.
In contrast, Discretionary Access Control (DAC) is a type of access control where the owner of an object or resource determines who is granted access to it. In DAC, users are granted permission to access an object or resource, and they have the discretion to allow or deny access to others.
Mandatory Access Control (MAC) is another type of access control that is used in high-security environments. In MAC, access is granted based on a set of predefined rules, and users cannot change those rules. MAC is often used in government and military organizations to control access to sensitive information.
Finally, Rule-Based Access Control (RBAC) is a type of access control that uses a set of rules to determine access. RBAC is similar to Non-Discretionary Access Control in that access is granted based on predefined rules or policies. However, RBAC does not necessarily use roles to define access, and access decisions may be based on other criteria such as time of day, location, or other factors.