Explore the differences and features of RBAC, ABAC, and DAC access control models with this quiz designed for security professionals. Enhance your understanding of crucial security testing concepts and choose the right model for specific scenarios in access management.
Which characteristic best distinguishes Attribute-Based Access Control (ABAC) from Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) when granting user permissions?
Explanation: ABAC grants access by evaluating attributes related to users, resources, and the environment, often following complex policy rules. RBAC, on the other hand, assigns permissions based on predefined roles within an organization. DAC gives resource owners authority to manage access, while ABAC does not rely on owner discretion or roles. Two-factor authentication refers to authentication, not to the fundamental principle behind ABAC.
Given a scenario where a user can share a document with any other user and even modify permissions, which access control model does this scenario best exemplify?
Explanation: DAC lets individual users, or resource owners, decide who can access their resources and adjust permissions, matching the scenario where users can directly share documents and modify access. RBAC restricts permissions based on roles, not user discretion. MAC is centrally controlled and does not permit user-driven sharing. ABAC could allow sharing based on attributes but does not inherently give ownership control to users.
Which statement best describes the complexity of policy administration in ABAC compared to RBAC?
Explanation: ABAC often requires policies to process numerous attributes (such as time, location, and resource type), making its administration potentially more complex than RBAC, which relies primarily on associating users with roles. Claiming that ABAC is always less complex is incorrect; complexity typically increases with flexible attribute handling. RBAC does not require environmental attributes by default, and the complexity between the two models is not identical.
In which access control model are permissions ideally organized according to organizational job functions such as 'manager', 'analyst', or 'assistant'?
Explanation: In RBAC, permissions are grouped according to roles that correspond to job functions, simplifying administration across the organization. ABAC focuses instead on dynamic attribute evaluations, not static roles. Rule-Based Access Control uses rules rather than roles, and DAC is based on resource ownership rather than job-function organization.
What is a primary security concern associated with Discretionary Access Control (DAC) compared to RBAC and ABAC?
Explanation: A notable concern with DAC is that resource owners may inadvertently grant access to malicious or unauthorized users, potentially leading to data leakage. Unlike this, RBAC and ABAC provide more controlled, policy-driven mechanisms for managing permissions. DAC does allow sharing, so the second option is incorrect. Automatic enforcement based on time or environment is characteristic of ABAC, not DAC.