Certified Information Systems Security Professional (CISSP) Practice Exam

Which access control model is primarily based on user roles within an organization?

• A. Mandatory access control
• B. Discretionary access control
• C. Nondiscretionary access control
• D. Role-based access control

The correct answer is: Nondiscretionary access control

The access control model that is primarily based on user roles within an organization is Role-based access control (RBAC). In this model, access permissions are granted based on the roles assigned to users, reflecting their responsibilities and tasks within the organization. Roles aggregate users with similar access needs, simplifying the management of permissions and ensuring that users have access only to the resources necessary for their role. RBAC enhances security and operational efficiency, as it aligns the allocation of permissions with the organizational structure and reduces the chance of excessive permissions being granted. For example, a user in a "manager" role may have access to sensitive data that a "staff" role would not have, limiting the exposure of critical systems and information. The other choices consider different approaches to access control but do not focus on roles in the same systematic and structured manner as RBAC. Mandatory access control, for example, enforces access restrictions based on security clearances and labels rather than user roles. Discretionary access control allows owners of resources to make decisions about who can access what resources, which can result in varied permissions that are not consistent with an organization's role structure. Nondiscretionary access control, while somewhat similar, still lacks the specific focus on organized roles that RBAC provides.