A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources.
Which of the following should be implemented?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The security administrator wants to implement a policy that allows data owners to manage and enforce access control rules on various resources. This implies that data owners will be responsible for determining who has access to what data and resources, and will be able to modify those access controls as needed.
There are several access control models that can be used to implement such a policy. Let's take a look at the options provided:
A. Mandatory access control (MAC): In a MAC model, access controls are enforced based on predefined security labels assigned to both users and resources. The security labels are assigned by a central authority (usually the system administrator) and cannot be modified by data owners. Therefore, MAC is not suitable for this scenario.
B. Discretionary access control (DAC): In a DAC model, data owners have full control over access controls and can modify them as needed. This is because access controls are based on the discretion of the data owner, rather than predefined security labels. Therefore, DAC is a possible solution for this scenario.
C. Role-based access control (RBAC): In an RBAC model, access controls are based on the roles that users have within an organization. Data owners can be assigned roles that give them the ability to manage access controls for resources within their domain. RBAC can be a good solution for this scenario.
D. Rule-based access control (RBAC): In an RBAC model, access controls are based on a set of predefined rules that are used to determine whether a user should be granted access to a resource. Data owners can create and modify these rules as needed. Therefore, RBAC is also a possible solution for this scenario.
Overall, both DAC and RBAC can be suitable solutions for implementing a policy that allows data owners to manage and enforce access control rules. The choice between these two models will depend on the specific needs of the organization and the resources being protected.