RBAC DISCREPENCY

tonyteixeiratonyteixeira Member Posts: 7 ■□□□□□□□□□
Hi Everyone,

I am finding out that different authors have different opinions on certain topics, My study tools include # Learnkeys Security+ CD's, Exam Cram2 security+, Security+ second edition (SYBEX), Transender Security+ 1.0, Examwise and xxxxx are the tools I am using.

One source says "In a role based model, users can only be assigned one role"

another source says "A user can be assigned one or more roles"

My thought is, it is possible to assign a user one or more roles BUT it is not the correct way to implement RBAC acces control.....so my answer would be "In a role based model, users can only be assigned one role".

Anybody have any input on this?

Thanks
Tony

Comments

  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Nope - Role based allows for a user to have several roles and to belong to several groups. I will quote Tcat as probably example would be confusing.
    With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, such as “human resources rep” or “accounts payable data entry clerk”, and each role is assigned one or more privileges that are permitted to users in that role, such as the right to access certain
    applications.
    www.supercross.com
    FIM website of the year 2007
  • tonyteixeiratonyteixeira Member Posts: 7 ■□□□□□□□□□
    RussS,
    Thanks for information.
    Just a FYI.....
    Here is a quote from Exam Cram 2.

    "Roles and Groups both provide ways of controlling user access, but in a group environment, users can belong to to other groups. In a Role based model, users can be assigned only one role."

    Transcender also supports your answer and I always found transcender a great learning tool.

    Thanks Again!
    Tony
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Very confusing that. In the context that I have always been familiar with a group is considered a role icon_confused.gif

    One of the things you will find out there while studying for Sec+ is that many different authors have conflicting views on many different subjects under the published scope of the exam.
    www.supercross.com
    FIM website of the year 2007
  • tonyteixeiratonyteixeira Member Posts: 7 ■□□□□□□□□□
    Yes it is! I am teaching the technicians in my district in Comptia A+ and Network+......I always find discrepencies amoung the authors. In the case of my RBAC discrepency....I am going with your answer if it comes up on my test.

    Thanks
    Tony
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,672 Admin
    Both are correct. An OS using RBAC can support a single-role or a multiple-role model.
    The single-role model is easier to administer and much less likely to cause
    permission conflicts than allowing a user to assume multiple, simultaneous
    roles. This is identical to the concepts of single- and multiple-inheritance in
    object oriented programming.

    Here's a blurb about it from a text on RBAC issues:

    Some systems allow a user to simultaneously take on multiple roles in a
    session, while others allow the user to assume only one role at a time. If
    multiple simultaneous roles are allowed, some systems turn on all roles of
    the user while others allow the user to select which roles are turned on in a
    particular session. (There is an analogous situation with respect to groups in
    operating systems.)
Sign In or Register to comment.