---

@savita1974 wrote:

I read this question. it is not becoming clear: 

Which of the following security principles are supported by role-based access control?

 

a. Discretionary access control, confidentiality, and non-repudiation
b. Mandatory access control, auditing, and integrity
c. Least privilege, separation of duties, and discretionary access control
d. Least privilege, mandatory access control, and data sensitivity

 

---

I'd say the best answer is D. Role-based access control often is seen as something that is not discretionary access control. Think of it this way. People are placed into roles, and their access only changes if their role changes. If we follow that premise, we've eliminated A and C. The problem with B is that role-based access control doesn't fully serve integrity because you can have multiple users in the same role, and auditing follows that. In contrast, role-based access control can satisfy all of D. Arguably role-based access is all about least privilege (the least privilege you need to do your job, your role) and data sensitivity is just a flip on that (data should only be accessed by certain jobs/roles).

Maybe someone else has a better assessment. I agree the question is a bit confusing. .Think of it this way: DAC focuses mostly on who and not what can be done with data, and determining the who is an ad hoc/transient decision made by the owner. In contrast, with role-based, these questions were addressed when the system was setup before the user's account or data was ever created. The system is in control. It's sort of like free will vs. predestination or maybe Neo vs. the Matrix.

The real mess happens when we move users into roles that allows them to exercise DAC (or at least sort of). As silly as that sounds, it happens every day "Oh you can't access it? Here, I just check all these boxes next to permissions, see if that helps." A few months down the road, you enumerate user accounts and you find out everyone is an administrator.

The answer is D. Least privilege (T), mandatory access control (T), and data sensitivity (T) Here is the approach you should use to tackle this question:

Use the process of elimination to knock out each wrong answer. It becomes rather easy as you find that security principles are repeated in several candidate answers. Here are each of the principles listed in the candidate answers below and why they are or are not supported (or implemented) by RBAC.

Discretionary access control (False) - RBAC is a non-discretionary (mandatory) access control in that the owner of the file cannot determine who has access. Access is based on roles and roles are imposed on users.

Confidentiality (True) - RBAC enforces the security policy of confidentiality

Non-Repudiation (False) - RBAC does not implement NR.

Mandatory access control (True)- RBAC is a mandatory access control implementation.

Auditing (False)- RBAC is an access control and not an auditing or logging implementation.

Integrity (True) - RBAC can enforce some elements of integrity (e.g., only a specific role can modify a file).

Least privilege (True) - RBAC can enforce the principle of least privilege (e.g., a specific role is only granted the accesses or privileges it needs to perform the role).

Separation of Duties (True) - This is a key benefit of RBAC. You can enforce SoD through roles.

Data sensitivity (True) - Data sensitivity is a concept that data may need to be protected based on the contents. You could protect sensitive data using RBAC but that would be protection of sensitive data. This term should have been phrased "sensitive data protection".

Now apply each of these (T/F) to the principles in the candidate answers and we get:

A. Discretionary access control (F), confidentiality (T), and non-repudiation (F)
B. Mandatory access control (T), auditing (F), and integrity (T)
C. Least privilege (T), separation of duties (T), and discretionary access control (F)
D. Least privilege (T), mandatory access control (T), and data sensitivity (T)