Ann is the data owner of financial records for a company. She has requested that she have the ability to
assign read and write privileges to her folders. The network administrator is tasked with setting up the
initial access control system and handing Ann’s administrative capabilities. Which of the following systems
should be deployed?

A.
Role-based

B.
Mandatory

C.
Discretionary

D.
Rule-based

Explanation:
In a Discretionary Access Control (DAC) model, network users have some fl exibility regarding how
information is accessed. This model allows users to share information dynamically with other users.
Discretionary access control (DAC) allows access to be granted or restricted by an object’s owner based
on user identity and on the discretion of the object owner.
In this question, Ann has requested that she have the ability to assign read and write privileges to her
folders. Read and write access to Ann’s files will be granted by Ann at her discretion. Therefore, this is an
example of Discretionary Access Control.
Incorrect Answers:
A: Role-Based Access Control (RBAC) models approach the problem of access control based on
established roles in an organization. This does not enable Ann to provide access to her files regardless of
user role. Therefore, this answer is incorrect.
B: Mandatory Access Control allows access to be granted or restricted based on the rules of classification.
It does not enable Ann to provide access to her files regardless of user role. Therefore, this answer is
incorrect.
D: Rule-Based Access Control (RBAC) uses the settings in preconfigured security policies to make all
decisions. Ann needs to provide access to her files based on her discretion, not based on preconfigured
security policies. Therefore, this answer is incorrect.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 151-152