An access control policy for a bank teller is an example of the implementation of which of the following?

A.
Rule-based policy

B.
Identity-based policy

C.
User-based policy

D.
Role-based policy

Explanation:
Role-based access control is a model where access to resources is determined by job role rather than by user
account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a
role-based policy.
Within an organization, roles are created for various job functions. The permissions to perform certain
operations are assigned to specific roles. Members or staff (or other system users) are assigned particular
roles, and through those role assignments acquire the computer permissions to perform particular computersystem functions. Since users are not assigned permissions directly, but only acquire them through their role
(or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the
user’s account; this simplifies common operations, such as adding a user, or changing a user’s department.
Incorrect Answers:
A: With Rule-Based Access Control, access is allowed or denied to resources based on a set of rules. The
rules could be membership of a group, time of day etc. This model is not used to provide access to resources
to someone performing a job role such as a bank teller.
B: Bank Teller is a job role, not an identity. In an identity-based policy, access to resources is determined by the
identity of the user, not the role of the user.
C: A user-based policy would be similar to an identity-based policy whereby access to resources is determined
by who the user is, not what role the user performs.

http://en.wikipedia.org/wiki/Role-based_access_control