An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from
various departments. Which of the following access control approaches is MOST appropriate?
A.
Rule-based
B.
Mandatory
C.
Discretionary
D.
Role-based
Explanation:
Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual’s access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.