(ISC)2 Certified in Cybersecurity Practice Exam

What is the access control model that sets user permissions based on roles?

• A. Mandatory Access Control
• B. Role-based Access Control
• C. Discretionary Access Control
• D. Access Control List

The correct answer is: Role-based Access Control

The access control model that sets user permissions based on roles is known as Role-based Access Control (RBAC). In this model, permissions are assigned to specific roles rather than to individual users directly. This means that when a user is assigned to a particular role, they inherit the permissions associated with that role. RBAC simplifies management of user permissions, especially in organizations with a large number of users and complex access requirements. By grouping permissions into roles, administrators can easily assign and modify access levels by changing the role assignments rather than having to configure each user's permissions individually. This not only streamlines the security management process but also enhances overall security by ensuring that users only have access to the necessary resources to perform their job functions. In contrast, other access control models have different mechanisms for granting access. Mandatory Access Control (MAC) relies on a system-enforced policy that restricts the ability of users to access or manipulate resources based on predefined security levels. Discretionary Access Control (DAC) allows resource owners to dictate who can access their resources, which can lead to less consistent permission structures. Lastly, an Access Control List (ACL) is a method of specifying which users or system processes have access to specific resources, but does not inherently group such access based