Exam CISSP topic 1 question 172 discussion

CISSP Official Study Guide pg 686 - "ABAC models use policies that include multiple attributes for rules. Attributes can be almost any characteristic of users, the network, and devices on the network. For example, user attributes can include group membership, the department where they work, and devices they use such as desktop PCs or mobile devices. The network can be the local internal network, a wireless network, an intranet, or a wide area network (WAN). Devices can include firewalls, proxy servers, web servers, database servers, and more."

ACL is a network function and does not take any criteria other than Layer 3 (IP address and port number). ABAC is a combination of RBAC + Policy (say time of the day - MAC strongly adheres to this). Hence C is the option

Answer is C as per: The CISSP Official Study Guide, Domain 5 (Identity and Access Management), describes ABAC as a dynamic access control model that evaluates multiple attributes, integrating principles from RBAC and MAC, but exceeding their capabilities with granular, policy-driven access control. Additionally, NIST SP 800-162 provides guidance on ABAC.

How can RBAC be an answer? I thought combining RBAC with ABAC makes it a hybrid environment? How is RBAC part of ABAC, that makes no sense?

The correct answer is D. Role Based Access Control (RBAC) and Access Control List (ACL) are the attributes used in Attribute Based Access Control (ABAC). RBAC defines access based on a user's job function within an organization and ACL defines access based on a user's identity.

ABAC is an improvments over RuBAC which is based on merging roles with ACL. 1 role = several sevral actions i.e. rules.

Abac can be based on your group RBAC or your label MAC

I think this might be a typo. I'm going with Rule-Based Access Control and ACL. My reasoning is backed by the sybex book 9th edition, page 686. Topic on ADAC. ADAC is an advanced form of Rule-Based Access Control . Correct me if i am wrong.