Which of the following are the primary rules to apply RBAC-based delegation for a user on a network? Each correct answer represents a complete solution. Choose all that apply.

A.
Authorization of Role

B.
Assignment of Roles

C.
Assignment of Permission

D.
Authorization of Permission

Explanation:
Role-based access control (or role-based security) is an approach to restricting system access to authorized users within an organization. In role-based access control, roles are created for various job functions. To perform certain operations, permissions are assigned to specific roles rather than individuals. Since users are not assigned permission directly, management of individual user rights becomes a matter of simply assigning appropriate roles to the user. There are three primary rules defined for RBAC:
Assignment of Roles: A subject can exercise a permission only if the subject has selected or been assigned a role.
Authorization of Role: A subjects active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. Authorization of Permission: A subject can exercise a permission only if the permission is authorized for the subject’s active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.

According to the requirements of an organization, additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

Answer option C is incorrect. In role-based access control, no permission is assigned to a user directly. Instead, permissions are assigned to a role and that role is assigned to the user.