PrepAway - Latest Free Exam Questions & Answers

Which of the following does not describe privacy-aware role-based access control?

Which of the following does not describe privacy-aware role-based access control?

PrepAway - Latest Free Exam Questions & Answers

A.
It is an example of a discretionary access control model.

B.
Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.

C.
It is an extension of role-based access control.

D.
It should be used to integrate privacy policies and access control policies.

Explanation:
A: A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called
discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit managers, are the owners of the data within
their specific department. Being the owner, they can specify who should have access and who should not. Privacy-aware role-based access control is an extension of role-based
access control (RBAC). There are three main access control models: DAC, mandatory access control (MAC), and RBAC. Privacy-aware role-based access control is a type of RBAC,
not DAC.
B is incorrect because privacy-aware role-based access control is based on detailed access controls that indicate the type of data that users can access based on the data’s level of
privacy sensitivity. Other access control models, such as MAC, DAC, and RBAC, do not lend themselves to protect the level of privacy of data, but the functions that users can carry
out. For example, managers may be able to access a privacy folder, but there needs to be more detailed access control that indicates, for example, that they can access customers’
home addresses but not Social Security numbers. The industry has advanced to needing much more detail-oriented access control when it comes to sensitive privacy information as in
social security numbers and credit card data, which is why privacy-aware role-based access control was developed.
C is incorrect because privacy-aware role-based access control is an extension of role-based access control. Access rights are determined based on the user’s role and
responsibilities within the company, and the level of privacy of the data they need access to.
D is incorrect because the languages used for privacy policies and access control policies should be either the same or integrated when using privacy-aware role-based access
control. The goal of the use of privacy-aware role-based access control is to make access control much more detailed and focused on privacy-related data, thus it should be using the
same type of terms and language as the organization’s original access control policy and standards


Leave a Reply