Identity & Access Management Question

tonyz90

Taking my CISSP exam this upcoming Saturday (21 November) and getting some studying in but have a question.

Looking through the ISC2 CBK Fourth Edition I see that it mentions the different type of Access Controls as:

Role-Based Access Control (doesn't say NDAC or DAC)
and then places Rule-Based Access Control most commonly a form of DAC

yet the Eric Conrad CISSP Study Guide 2nd Edition mentions Role-Based Access Control under NDAC and explains NDAC as:

"RBAC is a type of non-discretionary access control because users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects."

Under Eric Conrad's definition I would place both Role-Based and Rule Based access controls as NDAC.. but the fact that the Official Guide says Rule-Based is most commonly a form of DAC trips me up.

What do you guys think?

Also, any last minute advice would be extremely helpful, so far I have looked through the CBK and Eric Conrads book as well as watched the cybrary.it videos and answered about 800 questions on CCCure.

Thanks in advance.

TechGuru80

It would probably depend on the context of the situation. If I set a permission rule (technically permissions would be rules), then it is obviously DAC. It really boils down to who is setting the rule...owner = DAC, somebody other than the owner = MAC.

Anytime in the world that I have seen permission types mentioned it has been DAC, MAC, RBAC...and I would assume Rule-based would be stated as such since that could be confusing. I haven't ever really seen references to NDAC...although obviously if its not DAC...it would be NDAC.

Relax, keep going relatively hard through Thursday and do a light review Friday. Good luck!