In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization.You can easily configure a new employee acces by assigning the user to a role that has been predefine.The user will implicitly inherit the permissions of the role by being a member of that role.
These access permissions defined within the role do not need to be changed whenever a new person takes over the role.
Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC)where a global set of rule is uniformly applied to all subjects accessing the resources.A good example of RuBAC would be a firewall.
This question is a sneaky one,one of the choice has only one added word to it which is often.Reading questions and their choices very carefully is a must for the real exam.Reading it twice if needed is recommended.
Shon Harris in her book list the following ways of managing RBAC: Role-based access control can be managed in the following ways: Non-RBAC Users are mapped directly to applications and no roles are used.(No roles being used) Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality.
(A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles) Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles.
Full RBAC Users are mapped to enterprise roles.(Roles are used for all access being granted) NIST defines RBAC as: Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually.With RBAC, security is managed at a level that corresponds closely to the organization's structure.Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role.Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles.Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.
Reference(s) used for this question: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32
and Harris, Shon (2012-10-25)
CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill.
and http://csrc.nist.gov/groups/SNS/rbac/
The correct answer is B. The access controls are based on the individual's role or title within the organization.
Role-Based Access Control (RBAC) is a non-discretionary access control mechanism that restricts access to resources based on the user's role or job function within the organization. In RBAC, permissions are associated with specific roles, and users are assigned to these roles based on their job responsibilities.
RBAC is particularly useful in organizations with frequent personnel changes because it allows for easier management of access control. Instead of assigning permissions to individual users, which can be time-consuming and error-prone, access is granted based on the user's role or title. As users join or leave the organization, their access can be easily adjusted by modifying their role assignments.
RBAC also helps to enforce the principle of least privilege, which states that users should only have access to the resources necessary to perform their job functions. By assigning permissions based on job responsibilities, RBAC helps to ensure that users only have access to the resources required to do their job, reducing the risk of accidental or intentional data breaches.
In summary, RBAC is a non-discretionary access control mechanism that restricts access to resources based on the user's role or job function within the organization. RBAC is particularly useful in organizations with frequent personnel changes because it allows for easier management of access control and helps to enforce the principle of least privilege.