Scenario: A department in your organization wants to move to a role-based access control system for its file-sharing application. Which of the following should be your first step?

A.  Assign roles to each user.

B.  Document existing permissions.

C.  Implement least privilege.

D.  Audit current user activity.

Answer:  B

Explanation:

A. Assign roles to each user.

Assigning roles is the "execution" phase of the project, not the "planning" phase.

• The Risk: If you assign roles before understanding what permissions are actually required, you will likely cause "Access Denied" errors for critical business tasks or, conversely, grant too much access.

• The Process: You must define the Roles (e.g., Manager, Analyst, Auditor) and the Permissions associated with those roles before you can assign a user to them.

B. Document existing permissions.

In the CISSP mindset, you cannot manage what you do not measure.

• Why it's the Answer: You need a "Baseline." Many legacy systems suffer from Permission Creep, where users have accumulated random permissions over years. Documenting the current state allows you to map those existing permissions into logical groups (Roles). It ensures that when you flip the switch to RBAC, you know exactly what access is being replaced.

C. Implement least privilege.

The Principle of Least Privilege (PoLP) is the ultimate goal of RBAC, but it is not a "step."

• The Context: RBAC is a method used to achieve Least Privilege. By documenting permissions and then assigning only the necessary roles, you are practicing PoLP. However, you cannot "implement" a principle without the underlying data gathered during documentation.

D. Audit current user activity.

Auditing activity is a powerful tool for Role Discovery, but it follows documentation.

• The Relationship: Documenting (Option B) tells you what users can do (Authorization). Auditing (Option D) tells you what they actually do (Usage). While both are important, you start with the existing configuration (the "paper" trail) before moving to behavioral analysis to refine those roles.

The RBAC Implementation Roadmap

For the CISSP exam, remember the logical flow of implementing a new access control model:

1. Inventory & Documentation: Identify current users and their existing access rights.

2. Role Definition: Group tasks and permissions into logical roles based on job functions.

3. Role Mapping: Determine which users belong to which roles.

4. Testing/Validation: Verify that the roles provide "Just Enough Access" to perform the job.

5. Provisioning: Apply the new RBAC settings in the production environment.

Key Takeaway for the CISSP Exam

RBAC Benefits:

• Administrative Efficiency: Instead of managing 1,000 individual users, you manage 10 roles.

• Consistency: All "Analysts" get the exact same permissions.

• Easier Provisioning: When a new person is hired, you simply drop them into a pre-defined role.