cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Re: CISSP questions

> scootoure (Viewer) mentioned you in a post! Join the conversation below:

>  This access controls concept is something that I am finding extremely
> confusing due to the mixed information across resources. Sybex Official Study
> Guide Edition 8, specifically separates Rule-Based Access control from
> Discretionary Access control (p.628) stating each is 1 of the 5 access control
> models.

OK, in this, at least, the Sybex Official Study Guide Edition 8 is dead wrong. Rule
Based Access Control (RBAC) and Role Based Access Control (again, possibly
confusingly, RBAC) are orthogonal to mandatory and discretionary access
control. Mandatory access control can be either rule or role based (or both), and
so can discretionary.

> However, the Desitination Certification video
> (https://www.youtube.com/watch?v=BUcoABZzeQ4&list=PLZKdGEfEyJhKWyryIvx_jm1jn6ZMT
> i7gW&index=16) explicitly states that both Rule-Based and Role-Based Access
> Controls are Discretionary and mentions in the comments that everyone else that
> says otherwise is incorrect.

And the Desitination Certification video (and attendant comments) is (are) wrong.
Rule-Based Access Control simply uses rules to decide access. Role-Based Access
Control assigns and manages people and access on the basis of jobs. They aren't
mutually contradictory, as mandatory and discretionary access control are.

>   Can you provide insight into why your logic
> contradicts the Sybex official study guide.

Because Sybex is wrong.

> What should I follow?

Me. I'm an information scientist. I know everything 🙂

For example, I know that the original paper presenting role based access control
*assumed* that it would be used in mandatory access control systems, and only in
them. But there was no inherent reason for that, and, these days, we mostly use it
in discretionary access control systems (since there aren't that many mandatory
access control systems around).

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
scootoure
Viewer II

Re: CISSP questions

Much appreciated @rslade !