Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?
Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?
Attribute Based Access Control (ABAC) uses a combination of various attributes for access control decisions. These attributes can include user attributes (such as role, department, and group membership), resource attributes, environmental attributes (such as time of day and location), and action attributes. In ABAC, decisions are made based on policies that evaluate these attributes rather than predefined roles or identity-based lists. Therefore, the correct characteristics associated with ABAC are not specific methods such as Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), or Access Control List (ACL). None of the provided options accurately describe the characteristics of ABAC. The focus of ABAC is on a broader set of attributes rather than the mechanisms described in the options.
CISSP Official Study Guide pg 686 - "ABAC models use policies that include multiple attributes for rules. Attributes can be almost any characteristic of users, the network, and devices on the network. For example, user attributes can include group membership, the department where they work, and devices they use such as desktop PCs or mobile devices. The network can be the local internal network, a wireless network, an intranet, or a wide area network (WAN). Devices can include firewalls, proxy servers, web servers, database servers, and more."
I think this might be a typo. I'm going with Rule-Based Access Control and ACL. My reasoning is backed by the sybex book 9th edition, page 686. Topic on ADAC. ADAC is an advanced form of Rule-Based Access Control . Correct me if i am wrong.
Abac can be based on your group RBAC or your label MAC
D is correct
ABAC is an improvments over RuBAC which is based on merging roles with ACL. 1 role = several sevral actions i.e. rules.
The correct answer is D. Role Based Access Control (RBAC) and Access Control List (ACL) are the attributes used in Attribute Based Access Control (ABAC). RBAC defines access based on a user's job function within an organization and ACL defines access based on a user's identity.
How can RBAC be an answer? I thought combining RBAC with ABAC makes it a hybrid environment? How is RBAC part of ABAC, that makes no sense?