[CCCure CISSP] Qs1 Access Control: cccure QuizEngn doubts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Qs1 Access Control: cccure QuizEngn doubts

Amlan Deb
 
Hello everyone,
 
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them. Request you to please provide a quick reply as I need to appear for the exam in the month of July.
 
Thanks,
Amlan
 

Doubt#1
========

 

175. 

1.     Question: 1234 | Difficulty: 4/5 | Relevancy: 3/3

In Discretionary Access Control the subject has authority, within certain limitations,

o      but he is not permitted to specify what objects can be accessible and so we need to get an independent third party to specify what objects can be accessible.

o     to specify what objects can be accessible.

o      to specify on a aggregate basis without understanding what objects can be accessible.

o      to specify in full detail what objects can be accessible.

You did not provide any answer to this question. Please review details below.

The correct answer is:  to specify what objects can be accessible.

With Discretionary Access Control, the subject has authority, within certain limitations, to specify what objects can be accessible.

For example, access control lists can be used. This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access.

When a user, within certain limitations, has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control. In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.


References:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

and

HARRIS, Shon, All-In-One CISSP Certification Exam Guide 5th Edition, McGraw-Hill/Osborne, 2010, Chapter 4: Access Control (page 210-211).

Thanks to Craig Meyerfor providing a new reference for this question.

Comment:

EXAM TIP:

There are two terms you MUST be familiar with when discussing access control within the CBK.

The first one is
SUBJECT and the second one is OBJECT

A
SUBJECT is an active entity accessing OBJECTS.   The most common subject is a user but it could also be a process, an application, etc...

An
OBJECT is a passive entity containing data.   Such as a file, a DB entry, a print queue, an I/O pipe

Contributors: Rakesh Sud, Sasa Vidanovic, Christian Vezina

Covered topic: <A title="Discretionary access control - A means of restricting access to objects where a subject has authority, within certain limitations, to specify what objects can be accessible." href="javascript:void(0)">Discretionary access control

 

My doubt: My doubt is regarding the line highlighted in red above:

 

In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.

 

Could someone please explain:

 

What is user-based access control?

Is my understanding correct that identity based access control is another name for Discretionary Access Control?

What is hybrid approach?

 

 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org