Page 1026 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1026
subjects have access to resources through their membership in
roles. Roles are based on jobs or tasks, and administrators assign
privileges to the role. The RBAC model is useful for enforcing the
principle of least privilege because privileges can easily be revoked
by removing user accounts from a role.
It’s easy to confuse DAC and RBAC because they can both use groups
to organize users into manageable units, but they differ in their
deployment and use. In the DAC model, objects have owners and the
owner determines who has access. In the RBAC model, administrators
determine subject privileges and assign appropriate privileges to roles
or groups. In a strict RBAC model, administrators do not assign
privileges to users directly but only grant privileges by adding user
accounts to roles or groups.
Another method related to RBAC is task-based access control (TBAC).
TBAC is similar to RBAC, but instead of being assigned to one or more
roles, each user is assigned an array of tasks. These items all relate to
assigned work tasks for the person associated with a user account.
Under TBAC, the focus is on controlling access by assigned tasks
rather than by user identity.
Application Roles
Many applications use the RBAC model because the roles reduce
the overall labor cost of maintaining the application. As a simple
example, WordPress is a popular web-based application used for
blogging and as a content management system.
WordPress includes five roles organized in a hierarchy. The roles,
listed from least privileges to the most privileges, are subscriber,
contributor, author, editor, and administrator. Each higher-level
role includes all the privileges of the lower-level role.
Subscribers can modify some elements of the look and feel of the
pages within their user profile. Contributors can create, edit, and
delete their own unpublished posts. Authors can create, edit, and
