CompTIA Security Plus Mock Test Q901

During the information gathering stage of a deploying role-based access control model, which of the following information is MOST likely required?

A. Conditional rules under which certain systems may be accessed
B. Matrix of job titles with required access privileges
C. Clearance levels of all company personnel
D. Normal hours of business operation

Correct Answer: B
Section: Access Control and Identity Management

Explanation:
Role-based access control is a model where access to resources is determines by job role rather than by user account.
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system
users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not
assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the
user’s account; this simplifies common operations, such as adding a user, or changing a user’s department.
To configure role-based access control, you need a list (or matrix) of job titles (roles) and the access privileges that should be assigned to each role.

Incorrect Answers:
A: For role-based access control, you don’t need conditional rules under which certain systems may be accessed; you just need a list of roles and their associated privileges.
C: Clearance levels of all company personnel. Privileges are assigned based on job role rather than directly to individuals.
D: The hours of business operation are not required. Business hours are not related to assigning access privileges.

References:
http://en.wikipedia.org/wiki/Role-based_access_control