Effective CISSP Questions

Alice develops a program and has permissions, {read, write, execute}, on it. Bob has no permissions on the program but can forcibly take Alice’s permissions. Alice was surprised that Eve should have executed the program because Bob granted Eve this permission without Alice’s awareness. Which of the following is the authorization mechanism the security kernel implements?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Non-discretionary access control

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Discretionary access control.

  • Discretionary access control (DAC) relies on owners to authorize, typically based on identities, at their discretion.
  • Role-based access control (RBAC) maps job positions or tasks to roles. RBAC is non-discretionary; that is, owners cannot authorize at their discretion.
  • Mandatory access control compares a subject’s clearance to objects’ label based on BLP, BIBA or other security models.
TCB Access Control



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

Alice開發了一支程式,並對該程式具有{讀取,寫入,執行}的權限。 Bob沒有該程式的權限,但他可以強制取得Alice的權限。 Alice對Eve竟然可以執行該程式感到驚訝,因為Bob在Alice不知情的情況下授予了Eve這個許可。 請問安全核心(Security Kernel)實現以下哪種授權機制?
A. 強制訪問控制 (MAC)
B. 自由訪問控制 (DAC)
C. 基於角色的訪問控制 (RBAC)
D. 非自由訪問控制 (NDAC)


Leave a Reply