In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy.The access controls may be based on:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on the organizational security policy.
The access controls may be based on the individual's role in the organization.
Reference(S) used for this question: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
Non-discretionary access control is a security mechanism that enforces access controls based on predefined security policies rather than individual user discretion. Role-Based Access Control (RBAC) is a form of non-discretionary access control that provides a flexible and efficient means of specifying and enforcing access control policies based on roles assigned to subjects within an organization.
In RBAC, a central authority (usually an administrator or a group of administrators) determines what subjects (usually users or groups of users) can have access to specific objects (usually resources or data) based on the organizational security policy. Access controls are defined based on the roles that subjects are assigned within the organization, and each role has a set of permissions that determine the actions the subject can perform on specific objects.
RBAC can be implemented using a variety of mechanisms, such as access control lists (ACLs) or capabilities. However, the core concept of RBAC remains the same, which is to base access controls on roles rather than individual users or groups.
In RBAC, access controls can be based on the individual's role in the organization, which determines the permissions the subject has on specific objects. For example, a user with the role of "HR manager" might have access to personnel records, while a user with the role of "IT administrator" might have access to system logs.
RBAC can also be based on the societies role in the organization, which refers to the broader categories of roles within the organization. For example, a user with the role of "manager" might have access to sensitive financial data, while a user with the role of "employee" might have access to general company information.
Group-dynamics can also play a role in RBAC, as access controls can be based on the relationship between the individual's role and the group they belong to within the organization. For example, a user with the role of "supervisor" might have access to the performance data of the employees they manage, while a user with the role of "employee" might only have access to their own performance data.
Finally, RBAC can also be based on the group-dynamics as they relate to the master-slave role in the organization. However, this approach is less common and not widely used in RBAC implementations.
In conclusion, RBAC is a non-discretionary access control mechanism that provides a flexible and efficient means of enforcing access controls based on roles assigned to subjects within an organization. Access controls in RBAC can be based on the individual's role, the societies role, group-dynamics, or master-slave roles within the organization.