Exam CISSP topic 1 question 71 discussion

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf

A discretionary access control (DAC) system would show how the owner of the objects allows access, allows owners to determine who can access objects they control.

The access control method that is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context is called Attribute Based Access Control (ABAC). In ABAC, access decisions are made based on various attributes or characteristics associated with users, resources, and the environment. These attributes can include user roles, job titles, time of day, location, device type, and any other relevant contextual information. Policies are defined using these attributes, and access requests are evaluated against these policies to determine whether access should be granted or denied. ABAC offers a more flexible and fine-grained access control approach compared to other methods such as Role Based Access Control (RBAC) or Discretionary Access Control (DAC). It allows organizations to define access control policies based on dynamic and contextual factors, providing granular control over resource access and helping to enforce security requirements based on specific conditions.

ABAC is the correct answer https://techgenix.com/5-access-control-types-comparison/

Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.

From Official study guide 9th edition page 682 Attribute-Based Access Control A key characteristic of the Attribute-Based Access Control (ABAC) model is its use of rules that can include multiple attributes. This allows it to be much more flexible than a rule-based access control model that applies the rules to all subjects equally. Many software-defined networks (SDNs) use the ABAC model. Additionally, ABAC allows administrators to create rules within a policy using plain language statements such as “Allow Managers to access the WAN using a mobile device.”

Attribute-based access control (ABAC) is an authorization model that evaluates attributes (or characteristics), rather than roles, to determine access. The purpose of ABAC is to protect objects such as data, network devices, and IT resources from unauthorized users and actions—those that don’t have “approved” characteristics as defined by an organization’s security policies. https://www.okta.com/blog/2020/09/attribute-based-access-control-abac/

The question is talking about Zero Trust lol. "B" attribute.

Mandatory Access Control 1. Access control policy 2. Classification or sensitivity labels for objects 3. Clearance or privilege labels for subjects