(ISC)2 Certified in Cybersecurity Practice Exam

Which access control type grants permissions to groups of people?

• A. Mandatory Access Control (MAC)
• B. Role-Based Access Control (RBAC)
• C. Discretionary Access Control (DAC)
• D. None of the above

The correct answer is: Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is designed around the roles that users have within an organization. In this model, access permissions are assigned to specific roles instead of individuals. By grouping users according to their roles, permissions can be managed more easily and efficiently. For example, all members of the HR department might have access to certain files and data that are necessary for their job functions, while access is restricted for members of different departments. RBAC enhances security by ensuring that individuals are granted only the access necessary to perform their job functions, following the principle of least privilege. This not only simplifies the management of permissions but also helps in auditing who has access to what resources based on their roles within the organization. In contrast, Mandatory Access Control (MAC) relies on a centralized authority where access rights are assigned based on regulations and classifications. It does not operate on the principle of roles and is often used in highly secure environments. Discretionary Access Control (DAC) allows individual resource owners to determine who has access to their resources, which can lead to inconsistencies and potential security risks due to the lack of a centralized access management system based on roles. Thus, the emphasis of RBAC on grouping users by their specific roles directly supports managing permissions efficiently and is