Role-based access control is primarily associated with which model?

A.  MAC

B.  DAC

C.  ABAC

D.  RBAC

Correct Answer:  D

Explanation:

A. MAC (Mandatory Access Control)
MAC is the strictest access control model, often used in military and high-security government environments.

The Mechanism: Access is determined by the system based on Labels (e.g., Secret, Top Secret) and Clearance. A user can only access an object if their clearance level is equal to or higher than the object's classification level.

The Constraint: Users cannot change permissions or share access to files they create; only the system administrator (or the system itself) can define the security policy. This ensures that the organization's data sensitivity policy is strictly enforced across the board.

B. DAC (Discretionary Access Control)
DAC is the most flexible model and is commonly used in commercial operating systems like Windows and Linux.

The Mechanism: In DAC, the Owner of an object (the person who created it) has the discretion to grant or revoke access to that object.

The Vulnerability: Because users can pass permissions to others, DAC is susceptible to the "Trojan Horse" problem and accidental over-sharing of sensitive information. It relies heavily on individual users to maintain security rather than a centralized, rigid policy.

C. ABAC (Attribute-Based Access Control)
ABAC is an advanced, highly granular model often referred to as "Next-Generation Access Control."

The Mechanism: Access is granted based on Attributes related to the Subject (user's department, seniority), the Object (file type, sensitivity), and the Environment (time of day, physical location, IP address).

The Value: ABAC allows for "context-aware" security. For example, a doctor might be allowed to view patient records (Subject/Object) but only while they are physically in the hospital during their scheduled shift (Environment).

D. RBAC (Role-Based Access Control)
RBAC (sometimes called Nondiscretionary Access Control) simplifies administration by grouping permissions into "Roles" that align with business functions.

Why it's the Answer: Instead of assigning permissions to 1,000 individual users, an administrator creates a "Manager" role and a "Technician" role. When a new employee is hired, they are simply assigned to a role, and they automatically inherit all the permissions associated with it.

The Benefit: This model is excellent for managing User Provisioning and Joiner-Mover-Leaver (JML) processes. It significantly reduces administrative overhead and helps prevent "Permission Creep," where users accumulate access rights as they change jobs within the company.

Key Takeaway for the CISSP Exam

• Access Control Cheat Sheet:
• MAC: Labels and Clearance (Military/Strict).
• DAC: Identity and Ownership (Flexible/User-defined).
• RBAC: Job Function and Roles (Management-efficient).
• ABAC: Attributes and Context (Granular/Complex).