---

@savita1974 wrote:

I read this question. it is not becoming clear: 

Which of the following security principles are supported by role-based access control?

 

a. Discretionary access control, confidentiality, and non-repudiation
b. Mandatory access control, auditing, and integrity
c. Least privilege, separation of duties, and discretionary access control
d. Least privilege, mandatory access control, and data sensitivity

 

---

I'd say the best answer is D. Role-based access control often is seen as something that is not discretionary access control. Think of it this way. People are placed into roles, and their access only changes if their role changes. If we follow that premise, we've eliminated A and C. The problem with B is that role-based access control doesn't fully serve integrity because you can have multiple users in the same role, and auditing follows that. In contrast, role-based access control can satisfy all of D. Arguably role-based access is all about least privilege (the least privilege you need to do your job, your role) and data sensitivity is just a flip on that (data should only be accessed by certain jobs/roles).

Maybe someone else has a better assessment. I agree the question is a bit confusing. .Think of it this way: DAC focuses mostly on who and not what can be done with data, and determining the who is an ad hoc/transient decision made by the owner. In contrast, with role-based, these questions were addressed when the system was setup before the user's account or data was ever created. The system is in control. It's sort of like free will vs. predestination or maybe Neo vs. the Matrix.

The real mess happens when we move users into roles that allows them to exercise DAC (or at least sort of). As silly as that sounds, it happens every day "Oh you can't access it? Here, I just check all these boxes next to permissions, see if that helps." A few months down the road, you enumerate user accounts and you find out everyone is an administrator.