Which of the following best describes the main idea behind Role-based Access Control (RBAC)?
Think about how permissions are grouped and assigned in RBAC.
RBAC assigns permissions to roles, not directly to users. Users get permissions by being assigned roles, which simplifies management.
Which of the following is NOT a standard component of RBAC?
Consider what RBAC manages directly versus what is used for data protection.
RBAC manages users, roles, and permissions. Encryption keys are related to data security but not a core RBAC component.
A company has roles: 'Employee', 'Manager', and 'Admin'. Only 'Admin' can delete records. If a user is assigned both 'Employee' and 'Manager' roles, which actions can they perform?
Think about how permissions are combined from assigned roles.
Permissions are the union of assigned roles. Since neither 'Employee' nor 'Manager' roles allow deleting records, the user cannot delete records.
Which of the following is a primary benefit of using RBAC in an organization?
Consider how RBAC affects permission management.
RBAC simplifies access management by assigning permissions to roles instead of individual users, making it easier to manage large numbers of users.
In RBAC, what is the purpose of a 'separation of duties' constraint?
Think about why some permissions should not be combined in one user.
Separation of duties ensures that no single user has conflicting permissions that could allow misuse or mistakes, enhancing security.