In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines
what subjects can have access to certain objects based on the organizational security policy. The access
controls may be based on:

A.
The society’s role in the organization

B.
The individual’s role in the organization

C.
The group-dynamics as they relate to the individual’s role in the organization

D.
The group-dynamics as they relate to the master-slave role in the organization

Explanation:
With Non-Discretionary Access Control, a central authority determines what subjects can have access to
certain objects based on the organizational security policy. The access controls may be based on the
individual’s role in the organization (role-based access control) or the subject’s responsibilities and duties (taskbased access control). In an organization where there are frequent personnel changes, non-discretionary
access control is useful because the access controls are based on the individual’s role or title within the
organization. These access controls do not need to be changed whenever a new person takes over that role.
Incorrect Answers:
A: In RBAC, the access controls are based on the individual’s role in the organization, not the society’s role in
the organization.
C: In RBAC, the access controls are based on the individual’s role in the organization, not the group-dynamics
as they relate to the individual’s role in the organization.
D: In RBAC, the access controls are based on the individual’s role in the organization, not the group-dynamics
as they relate to the master-slave role in the organization.

Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley
Publishing, Indianapolis, 2007, p. 48