Exam CISSP topic 1 question 172 discussion

CISSP Official Study Guide pg 686 - "ABAC models use policies that include multiple attributes for rules. Attributes can be almost any characteristic of users, the network, and devices on the network. For example, user attributes can include group membership, the department where they work, and devices they use such as desktop PCs or mobile devices. The network can be the local internal network, a wireless network, an intranet, or a wide area network (WAN). Devices can include firewalls, proxy servers, web servers, database servers, and more."

ABAC uses a set of attributes to make access decisions. While ABAC is distinct from RBAC and ACL, it can incorporate characteristics from both RBAC, which contributes to the idea of using roles as an attribute. In ABAC, roles are just one of many possible attributes. ACL contributes the concept of explicit permissions, but in ABAC, permissions are granted based on matching attributes rather than just listing users or roles directly.

I picked C from the start. From Perplexity - While none of the options perfectly describe ABAC, C is the best choice because ABAC can incorporate elements of both RBAC and MAC, depending on how attributes are defined and policies are enforced: RBAC: ABAC can use roles as one of many attributes for decision-making. MAC: ABAC can enforce strict access rules based on attributes like security classifications. ABAC is a more flexible and dynamic model than RBAC or MAC, but since these models can be implemented using attributes, C is the closest match for the CISSP exam.

Deepseek-Role-Based Access Control (RBAC): ABAC extends RBAC by using roles as one of the attributes in its decision-making process. Mandatory Access Control (MAC): ABAC incorporates policy-driven access decisions, similar to MAC, where access is determined by a central authority based on predefined rules and labels. While D mentions RBAC (which is relevant to ABAC), the inclusion of ACLs makes it incorrect. Therefore, C is the best choice for the CISSP exam

ACL is a network function and does not take any criteria other than Layer 3 (IP address and port number). ABAC is a combination of RBAC + Policy (say time of the day - MAC strongly adheres to this). Hence C is the option

Answer is C as per: The CISSP Official Study Guide, Domain 5 (Identity and Access Management), describes ABAC as a dynamic access control model that evaluates multiple attributes, integrating principles from RBAC and MAC, but exceeding their capabilities with granular, policy-driven access control. Additionally, NIST SP 800-162 provides guidance on ABAC.

How can RBAC be an answer? I thought combining RBAC with ABAC makes it a hybrid environment? How is RBAC part of ABAC, that makes no sense?

The correct answer is D. Role Based Access Control (RBAC) and Access Control List (ACL) are the attributes used in Attribute Based Access Control (ABAC). RBAC defines access based on a user's job function within an organization and ACL defines access based on a user's identity.

ABAC is an improvments over RuBAC which is based on merging roles with ACL. 1 role = several sevral actions i.e. rules.

Abac can be based on your group RBAC or your label MAC

I think this might be a typo. I'm going with Rule-Based Access Control and ACL. My reasoning is backed by the sybex book 9th edition, page 686. Topic on ADAC. ADAC is an advanced form of Rule-Based Access Control . Correct me if i am wrong.