Scenario: A department in your organization wants to move to a role-based access control system for its file-sharing application. Which of the following should be your first step?

A.  Assign roles to each user.

B.  Document existing permissions.

C.  Implement least privilege.

D.  Audit current user activity.

Answer:  B

Explanation:

Before transitioning to a role-based access control (RBAC) system, it's crucial to have a clear understanding of the existing permissions and access controls in place. This will give you a baseline to work from and help you accurately configure the new RBAC settings. Here's a breakdown of the other options:

Assign roles to each user: This is a step that will come later, after understanding the existing permissions and perhaps after auditing current user activity to determine what roles are actually needed.

Implement least privilege: Implementing the principle of least privilege is a good practice in access control, but you would first need to know what privileges are currently in place before you can minimize them.

Audit current user activity: While this is also important, especially for understanding the suitability and effectiveness of existing controls, it would typically come after documenting existing permissions and possibly in parallel with designing the new role-based controls.

So, the first step should be to Document existing permissions to provide a foundational understanding upon which to build the new RBAC system.