An organization is implementing a password management application which requires that all local
administrator passwords be stored and automatically managed. Auditors will be responsible for
monitoring activities in the application by reviewing the logs. Which of the following security
controls is the BEST option to prevent auditors from accessing or modifying passwords in the
application?

A.
Time of day restrictions

B.
Create user accounts for the auditors and assign read-only access

C.
Mandatory access control

D.
Role-based access with read-only

Explanation:
Auditors (employees performing the auditor role) will have access application by reviewing the
logs. We can therefore assign access based on employee role. This is an example of Role-based
access control (RBAC).
To prevent the auditors from modifying passwords in the application, we need to ensure that they
do not have write access. Therefore, you should assign only read access.
Role-Based Access Control (RBAC) models approach the problem of access control based on
established roles in an organization. RBAC models implement access by job function or by
responsibility. Each employee has one or more roles that allow access to specific information. If a
person moves from one role to another, the access for the previous role will no longer be
available.
Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be
able to edit files” and “Denise is a member of the Editors group.” This model is always good for
use in an environment in which there is high employee turnover.