Which access control model is also called Non Discretionary Access Control (NDAC)?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says "to distinguish it from the policy-based specifics of MAC").Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC)
Most of the CISSP books use the same acronym for both models but NIST tend to use a lowercase "u" in between R and B to differentiate the two models.
You can certainly mimic MAC using RBAC but true MAC makes use of Labels which contains the sensitivity of the objects and the categories they belong to.No labels means MAC is not being used.
One of the most fundamental data access control decisions an organization must make is the amount of control it will give system and data owners to specify the level of access users of that data will have.
In every organization there is a balancing point between the access controls enforced by organization and system policy and the ability for information owners to determine who can have access based on specific business requirements.
The process of translating that balance into a workable access control model can be defined by three general access frameworks: Discretionary access control - Mandatory access control - Nondiscretionary access control - A role-based access control (RBAC) model bases the access control authorizations on the roles (or functions) that the user is assigned within an organization.
The determination of what roles have access to a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with MACs.
Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities.
Objects associated with a role will inherit privileges assigned to that role.
This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles.
There are several approaches to RBAC.
As with many system controls, there are variations on how they can be applied within a computer system.
There are four basic RBAC architectures: 1
Non-RBAC: Non-RBAC is simply a user-granted access to data or an application by traditional mapping, such as with ACLs.
There are no formal "roles" associated with the mappings, other than any identified by the particular user.
2
Limited RBAC: Limited RBAC is achieved when users are mapped to roles within a single application rather than through an organization-wide role structure.
Users in a limited RBAC system are also able to access non-RBAC-based applications or data.
For example, a user may be assigned to multiple roles within several applications and, in addition, have direct access to another application or system independent of his or her assigned role.
The key attribute of limited RBAC is that the role for that user is defined within an application and not necessarily based on the users organizational job function.
3
Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to multiple applications or systems based on a users specific role within the organization.
That role is then applied to applications or systems that subscribe to the organization's role-based model.
However, as the term "hybrid" suggests, there are instances where the subject may also be assigned to roles defined solely within specific applications, complimenting (or, perhaps, contradicting) the larger, more encompassing organizational role used by other systems.
4
Full RBAC: Full RBAC systems are controlled by roles defined by the organizations policy and access control infrastructure and then applied to applications and systems across the enterprise.
The applications, systems, and associated data apply permissions based on that enterprise definition, and not one defined by a specific application or system.
Be careful not to try to make MAC and DAC opposites of each other -- they are two different access control strategies with RBAC being a third strategy that was defined later to address some of the limitations of MAC and DAC.
The other answers are not correct because: Mandatory access control is incorrect because though it is by definition not discretionary, it is not called "non-discretionary access control."MAC makes use of label to indicate the sensitivity of the object and it also makes use of categories to implement the need to know.
Label-based access control is incorrect because this is not a name for a type of access control but simply a bogus detractor.
Lattice based access control is not adequate either.
A lattice is a series of levels and a subject will be granted an upper and lower bound within the series of levels.
These levels could be sensitivity levels or they could be confidentiality levels or they could be integrity levels.
Reference(s) used for this question: All in One, third edition, page 165
Ferraiolo,
D., Kuhn,
D.
& Chandramouli, R.
(2003)
Role-Based Access Control, p.
18
Ferraiolo,
D., Kuhn,
D.
(1992)
Role-Based Access Controls.
http://csrc.nist.gov/rbac/Role_Based_Access_Control-1992.htmlOfficial (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 1557-1584)
Auerbach Publications.
Kindle Edition.
Schneiter, Andrew (2013-04-15)
Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 1474-1477)
Auerbach Publications.
Kindle Edition.
The correct answer is B. Mandatory Access Control (MAC) is also known as Non-Discretionary Access Control (NDAC).
Mandatory Access Control is a type of access control where the system enforces a predefined security policy based on rules that cannot be changed by individual users. It is often used in systems with high security requirements, such as government and military systems.
In MAC, the system administrator defines a set of rules that dictate who can access specific resources based on the user's security clearance level or role. The user has no control over this decision, and the system enforces the policy without user intervention.
In contrast, Discretionary Access Control (DAC) allows individual users to decide who can access resources that they own. Role-based access control (RBAC) is a type of DAC that assigns permissions based on the user's role within the organization.
Lattice-based access control (LBAC) and label-based access control (LBAC) are also types of MAC. Lattice-based access control uses mathematical structures called lattices to define security policies, while label-based access control uses labels to define security policies.