An organization is implementing a password management application which requires that all local administrator
passwords be stored and automatically managed. Auditors will be responsible for monitoring activities in the
application by reviewing the logs. Which of the following security controls is the BEST option to prevent auditors
from accessing or modifying passwords in the application?

A.
Time of day restrictions

B.
Create user accounts for the auditors and assign read-only access

C.
Mandatory access control

D.
Role-based access with read-only

Explanation:
Auditors (employees performing the auditor role) will have access application by reviewing the logs. We can
therefore assign access based on employee role. This is an example of Role-based access control (RBAC).
To prevent the auditors from modifying passwords in the application, we need to ensure that they do not have
write access. Therefore, you should assign only read access.
Role-Based Access Control (RBAC) models approach the problem of access control based on established
roles in an organization. RBAC models implement access by job function or by responsibility. Each employee
has one or more roles that allow access to specific information. If a person moves from one role to another, the
access for the previous role will no longer be available.
Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit
files” and “Denise is a member of the Editors group.” This model is always good for use in an environment in
which there is high employee turnover.