Exam CISSP topic 1 question 161 discussion

Answer correct is C "An example of ABAC would be allowing only users who are type=employees and have department=HR to access the HR/Payroll system and only during business hours within the same timezone as the company." https://blog.identityautomation.com/rbac-vs-abac-access-control-models-iam-explained#:~:text=Defining%20Attribute%2DBased%20Access%20Control&text=An%20example%20of%20ABAC%20would,same%20timezone%20as%20the%20company.

A seems right - Time and location are some examples of attributes https://en.wikipedia.org/wiki/Attribute-based_access_control#Attributes

it doesnt event need an explanation :)

https://en.wikipedia.org/wiki/Attribute-based_access_control#Attributes Attributes can be about anything and anyone. They tend to fall into 4 different categories: 1. Subject attributes: attributes that describe the user attempting the access e.g. age, clearance, department, role, job title 2. Action attributes: attributes that describe the action being attempted e.g. read, delete, view, approve 3. Object attributes: attributes that describe the object (or resource) being accessed e.g. the object type (medical record, bank account), the department, the classification or sensitivity, the location 4. Contextual (environment) attributes: attributes that deal with time, location or dynamic aspects of the access control scenario. The unique feature of attribute-based access control (ABAC) is that a user is granted access to a system based on attributes or characteristics associated with the user, such as job title, security clearance level, location, time of day, and many others. Therefore, the correct answer is A.

A is correct

Should be A. Key word is "unique". Group affinity is something RBAC can do as well, but time of day access can only be done by ABAC.

Selected answer: A ABAC is a flexible and dynamic access control model that grants access to a system based on attributes associated with the user, resource, action, and environment. Group affinity is one such attribute that defines the user's membership in a particular group and is used to determine their access privileges within the system. In contrast, traditional access control models such as role-based access control (RBAC) and discretionary access control (DAC) primarily use static roles and permissions to control access. Time of day, username and password, and biometric authentication are also used in access control, but they are not unique features of ABAC.

Selected Answer: A With ABAC, an organisation’s access policies enforce access decisions based on the attributes of the subject, resource, action, and environment involved in an access event. The environment is the broader context of each access request. All environmental attributes speak to contextual factors like the time and location of an access attempt, the subject’s device, communication protocol, and encryption strength. Contextual information can also include risk signals that the organisation has established, such as authentication strength and the subject’s normal behaviour patterns.

groupaffinity also possible in rbac, but not time. A

It should be C, the group affinity like which department the user is created is aligned with the attribute-based access control. A is for Just-in-time access control, but not attribute-based access control

So let's defined "affinity" = the relationship existing between things or persons that are naturally or involuntarily drawn together. That to me sounds like ABAC.