An organization has implemented an enterprise resource planning (ERP) system used by 500
employees from various departments. Which of the following access control approaches is MOST
appropriate?
A.
Rule-based
B.
Mandatory
C.
Discretionary
D.
Role-based
Explanation:
Role-based access control is effective and efficient in large user communities because it controls
system access by the roles defined for groups of users. Users are assigned to the various roles
and the system controls the access based on those roles. Rule-based access control needs to
define the access rules, which is troublesome and error prone in large organizations. In mandatory
access control, the individual’s access to information resources needs to be defined, which is
troublesome in large organizations. In discretionary access control, users have access to
resources based on predefined sets of principles, which is an inherently insecure approach.