Trusted Computing Base

Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

The recommended answer is A, A subject asserting unmarried.

This question is designed to help you understand the characteristics of the common access control mechanisms as follows:

  • A subject asserting unmarried ⇒ Attribute-based access control (ABAC)
  • A subject with the Top Secret clearance ⇒ Mandatory access control (MAC)
  • A subject with need-to-know ⇒ Discretionary access control (DAC)
  • A subject assigned to the Admin role ⇒ Role-based access control (RBAC)

Access control mechanism comprises 3 parts: authentication, authorization, and accounting. A subject implies a user or principal completes the identification process and its identity has been authenticated.

A subject’s access to objects must be authorized. ABAC, MAC, DAC, and RBAC can enforce the authorization process.

Attribute-based access control (ABAC)

An entity comes with attributes. For example, a user is an entity with attributes, such as Full Name, Marriage Status, Gender, and Aage, to name a few.

Privileges can be granted by attributes. e.g. Access to the Corporate Bonus Mileage Program, a web page, is granted to those members who are female (gender), married (marriage) and come from Taiwan (nationality).

A subject’s attributes, shaping claims or assertions, are dynamic in nature. It’s the most flexible way among the four mechanisms to implement authorization.

Mandatory access control (MAC)

MAC is based on the subject’s security clearance and the object’s classification level, or label. A security clearance is determined through a formal process. Both security clearance and object label are hard to change.

Discretionary access control (DAC)

DAC is based on the Access Control Matrix, a two-dimension matrix of subjects on the row by objects on the column. A row is a subject’s capability; a column is an object’s access control list.

The granularity of DAC is at the entity level (subject or object). ABAC is at the attribute level.

Role-based access control (RBAC)

As the name suggests, RBAS is based on roles. A role is a named collection of predefined permissions and rights; it usually maps to the organizational structure.

A user assigned a role is automatically granted the predefined permissions and rights. It reduces the administrative burden, unlike that of DAC. As the permissions and rights are predefined, or sometimes hard-coded, it’s not convenient to change them.


The concept of flexibility is not rigidly defined in the question, as the question is designed to help you understand the characteristics of the common access control mechanisms. You can evaluate flexibility in terms of granularity of criteria, convenience to change, and administrative or implementation burden.


1 thought on “CISSP PRACTICE QUESTIONS – 20190514

  1. Pingback: CISSP Practice Questions – Wentz Wu

Leave a Reply