Exam CISSP topic 1 question 229 discussion

CISSP Offical Study Guide pg 682 - "Attribute-Based Access Control A key characteristic of the Attribute-Based Access Control (ABAC) model is its use of rules that can include multiple attributes." If it was just managers then Role-Based. Once multiple properties are added it becomes Attribute-Based.

Answer correct "ABAC can control access based on three different attribute types: user attributes, attributes associated with the application or system to be accessed, and current environmental conditions. An example of ABAC would be allowing only users who are type=employees and have department=HR to access the HR/Payroll system and only during business hours within the same timezone as the company." https://blog.identityautomation.com/rbac-vs-abac-access-control-models-iam-explained#:~:text=An%20example%20of%20ABAC%20would,is%20also%20the%20most%20complex.

In ABAC, access decisions are based on attributes of: 1. the user (e.g., type=manager), 2. the resource (e.g., record_type=employee), 3 the environment (e.g., time of access, location)

I think it's A. Eventhough the question mentioned two elements, both would construct a specific role, that is a sales manager.

ABAC defines access control policies based on attributes associated with users, resources, and the environment. In this case, the attributes "type" and "department" are used to determine access privileges.

B. Attribute-based access control (ABAC) Attribute-based access control (ABAC) uses various attributes and policies to make access control decisions, taking into account specific attributes associated with users, resources, and other factors to determine whether access should be granted or denied. In this scenario, the attributes "type" and "department" are used to control access to employee records based on the user's role and department.

Opinions differ between A and B, but I believe it's A. The problem statement only mentions the role of Sales Manager. To choose B, I feel there should be additional conditions specified in the problem statement. I would confidently choose B if there were additional conditions like: Access allowed only from 10 am to 5 pm. No access on weekends.

ABAC 100%

B. Those are user attributes

Attribute-based access control (ABAC) is a type of access control that uses attributes, such as user roles, department, and location, to determine whether a user has access to a particular resource. In the scenario you provided, the access control system is using attributes such as the user's role (manager) and department (sales) to determine whether they should be granted access to employee records. Therefore, ABAC is the most appropriate type of access control in this scenario.

The role is sales manager, so RBAC.

(Option B) Attribute-based access control (ABAC) includes a system that allows only users that are type=managers and department=sales to access employee records.

The correct answer is B. Attribute-based access control (ABAC) allows users to access resources based on their attributes, such as their type (e.g. manager) and department (e.g. sales). This type of access control allows for more fine-grained control over access to resources than other types of access control, such as role-based access control (RBAC) or discretionary access control (DAC).

Correct answer B

Vote A, type=managers and department=sales is about the RBAC

ABAC is a control access based attribute types

This is granting them access to employee records by combining two specific attributes so "B" is the correct answer.