Which one of the following user classification schemes best reflects what function or function
performs?
A.
role-based classification
B.
rule-based classification
C.
group-based classification
D.
attribute-based classification
E.
rank-based classification
Explanation:
Given the potentially large number of users of a system, access privileges are
generally
not assigned at the user level. Instead, users are assigned to groups (mimicking the
organizational structure of a company), or roles (defined based on job functions that
users perform), or some combination of the two. Access privileges are then assigned to
groups and/or roles. The most natural case is that they are assigned to roles, since
roles align more closely with operations users naturally perform to accomplish their
job. The industry term for this is Role-Based Access Control (RBAC). RBAC is more
flexible than defining access rights based on usernames or static groups and enables an
organization to be more versatile when allocating resources.
With RBAC the system must determine if the subject (user or client) is associated with
a role that has been granted access to a resource. This process of user to role
ascertainment is called role mapping.Incorrect answers
B: Rule-based access control is very similar to fine-grained access control, where access is
controlled by rules defined in policies. The twist is that rules might refer to each other.
For instance, access may be granted to resource/function A as long as it is not also
granted to resource/function B. This form of control can be used to ensure that a
group or individual is not given privileges that create a conflict of interest or
inappropriate level of authority. For instance, the approver of expenses or purchases
cannot be the same as the requestor.
C: Role is better here.
D: There are times when access should be based on characteristics the user has rather
than the organization or roles to which the user belongs. For instance, a customer with
premium status might be granted access to exclusive offers, and a sales representative
that has achieved his target sales revenue might have access to certain perks. Such
levels of status vary over time, making it difficult to manage access based on relatively
static group or role assignments. Attribute-based access control offers a more dynamic
method of evaluation. Decisions are based on attributes assigned to users, which are
free to change as business events unfold. Access policies define the attributes and
values a user must have, and access decisions are evaluated against the current values
assigned to the user. Attributes can be used to support both course-grained and
fine-grained authorization.
E: No such thing as rank-based classification
Reference: Oracle Reference Architecture,Security, Release 3.1