Domain 5 – Section B Review: Authorization and Lifecycle
This section integrates:
- Authorization Mechanisms — DAC, MAC, RBAC, ABAC, rule-based, and risk-based access control
- Identity and Access Provisioning Lifecycle — joiner-mover-leaver, privilege creep, access reviews, PAM
- Authentication Systems Implementation — Kerberos, RADIUS, TACACS+, SAML, OIDC, 802.1X, FIDO2
Section B questions test your ability to select the right access control model for a given environment, identify lifecycle governance failures, and match authentication protocols to specific use cases. The connecting thread: every question is about making the right decision for the situation, not the most technically advanced one.
Section B – Practice Questions
Question 1
A manufacturing company has 200 employees across four departments. Each department has well-defined job functions. The company is growing rapidly, adding 10–15 employees per month. The CISO needs an access control model that simplifies onboarding while maintaining least privilege.
Which access control model is MOST appropriate?
A. Discretionary Access Control with department-level file shares
B. Mandatory Access Control with data classification labels
C. Role-Based Access Control aligned to department job functions
D. Attribute-Based Access Control with department and seniority attributes
Answer & reasoning
Correct: C
The scenario describes a growing organization with defined job functions and a need for scalable onboarding. RBAC maps roles to job functions, allowing new employees to receive the correct permissions by assigning their role. DAC gives too much discretion to individual owners. MAC is disproportionate for a commercial manufacturer. ABAC adds complexity that the scenario does not require.
Question 2
An audit reveals that an accounts payable clerk can both create vendor records and approve payments — a separation of duties violation. The organization uses RBAC. The clerk holds two roles: “AP Data Entry” and “Payment Approver.”
What is the MOST effective corrective action?
A. Define the two roles as mutually exclusive in the RBAC system so no user can hold both simultaneously
B. Remove the clerk from both roles and reassign them to a new combined role with reduced permissions
C. Add a compensating control that logs all payment approvals for manual review
D. Switch to MAC to prevent users from accumulating conflicting roles
Answer & reasoning
Correct: A
RBAC directly supports separation of duties through mutual exclusion constraints. Defining the two roles as mutually exclusive prevents any user from holding both, addressing the root cause. Logging (C) is a detective control that detects violations after they occur but does not prevent them. A combined role (B) still allows the same person to perform both functions. MAC (D) is a disproportionate model change.
Question 3
A security operations center needs to control which analysts can execute which commands on network security devices. Senior analysts should be able to modify firewall rules, while junior analysts should only be able to view logs and run diagnostic commands. All administrative sessions must be fully encrypted and individually audited.
Which protocol BEST supports these requirements?
A. RADIUS with role-based VLAN assignment
B. Kerberos with tiered service tickets
C. LDAP with group-based access policies
D. TACACS+ with per-command authorization and full packet encryption
Answer & reasoning
Correct: D
TACACS+ separates authentication, authorization, and accounting, enabling per-command authorization: different analysts receive different command sets. It encrypts the entire packet body, meeting the encryption requirement. RADIUS only encrypts the password field and lacks per-command granularity. Kerberos and LDAP are not designed for network device command-level authorization.
Question 4
An organization’s identity governance team discovers that 40% of users have access permissions that do not match any defined role in the RBAC system. These permissions were granted through individual exception requests over the past three years.
What process should be implemented FIRST to address this?
A. Conduct an access recertification campaign where managers review and confirm or revoke all exception-based permissions
B. Delete all exception-based permissions immediately to enforce strict role adherence
C. Perform role mining to create new roles that incorporate the exception permissions
D. Disable the ability to grant exception-based access going forward
Answer & reasoning
Correct: A
Access recertification addresses the existing problem by requiring business justification for each exception permission. Some exceptions may be legitimate and should be incorporated into roles; others are no longer needed and should be revoked. Immediate deletion (B) risks breaking business processes. Role mining (C) from exception data would codify potentially unjustified access. Disabling future exceptions (D) does not address the 40% that already exist.
Question 5
A cloud-native company wants to implement access controls for its microservices architecture. Access decisions need to evaluate the calling service’s identity, the target resource’s sensitivity classification, the current threat level from the security operations center, and the time of day. The access policy may change as the organization’s risk posture shifts.
Which access control model is BEST suited for this environment?
A. Rule-based access control with static firewall policies
B. RBAC with service-level role definitions
C. ABAC with dynamic policy evaluation incorporating real-time risk signals
D. DAC with service owners managing their own access lists
Answer & reasoning
Correct: C
The scenario lists multiple dynamic attributes (service identity, resource sensitivity, threat level, time) and describes policies that adapt to changing conditions. ABAC evaluates these attributes in real time against configurable policies. RBAC cannot natively factor in environmental conditions like threat level. Static firewall rules (A) cannot adapt to changing risk posture. DAC is inappropriate for service-to-service authorization.
Question 6
An employee is terminated for cause on a Friday afternoon. The following Monday, the security team discovers the employee logged into the VPN over the weekend and downloaded project files. The HR system recorded the termination on Friday, but the employee’s Active Directory account was not disabled until the Monday morning batch process.
What is the PRIMARY process failure?
A. The HR system should have directly disabled the AD account
B. Deprovisioning was not automated to trigger immediately from the HR termination event
C. The employee should not have had VPN access in the first place
D. The security team should have been monitoring VPN access over the weekend
Answer & reasoning
Correct: B
The root cause is that deprovisioning relied on a batch process with a multi-day delay rather than triggering immediately from the HR termination event. For involuntary terminations, account disablement should occur at or before the time of notification. Automated, real-time integration between HR and identity systems would have prevented the gap. Weekend monitoring (D) is a detective control but does not address the provisioning process failure.
Question 7
A hospital deploys 802.1X authentication on its wired network to prevent unauthorized devices from connecting. The network team needs to choose an EAP method. The hospital does not have a PKI infrastructure and cannot issue client certificates to every device.
Which EAP method is MOST appropriate?
A. EAP-TLS with mutual certificate authentication
B. EAP-MD5 with username and password
C. PEAP with MSCHAPv2 inside a TLS tunnel
D. EAP-FAST with anonymous TLS tunneling
Answer & reasoning
Correct: C
PEAP creates a TLS tunnel to the authentication server and then uses MSCHAPv2 (username/password) inside the tunnel. It requires only a server certificate, not client certificates — fitting the constraint of no PKI for client certs. EAP-TLS (A) requires client certificates. EAP-MD5 (B) provides no mutual authentication and sends credentials with weak hashing. PEAP balances security with the infrastructure constraints described.
Question 8
A global enterprise uses an on-premises Active Directory and needs to provide SSO for 30 SaaS applications used by employees worldwide. The SaaS applications are all browser-based. The security team wants to centralize authentication so that disabling a user in AD immediately prevents access to all SaaS applications.
Which approach BEST meets these requirements?
A. Configure each SaaS application to query the on-premises AD via LDAP over VPN
B. Deploy SAML federation with AD as the identity provider and each SaaS application as a service provider
C. Issue Kerberos service tickets for each SaaS application
D. Create local accounts in each SaaS application synchronized from AD nightly
Answer & reasoning
Correct: B
SAML federation allows AD to serve as the centralized identity provider. When a user is disabled in AD, the IdP no longer issues SAML assertions, immediately cutting off access to all federated SaaS applications. LDAP over VPN (A) creates security and performance problems. Kerberos (C) is not designed for SaaS/web SSO. Nightly synchronization (D) creates a gap where terminated users retain access until the next sync.
Question 9
A database administrator needs emergency access to a production database during an incident, but the organization has implemented just-in-time provisioning for all privileged access. The DBA does not have standing database admin privileges.
How should the PAM system handle this request?
A. The DBA should have permanent admin access to avoid delays during incidents
B. The request should be denied because JIT provisioning does not allow emergency access
C. The PAM system should grant time-limited emergency access with automatic revocation and full session recording after an expedited approval
D. Another DBA with standing access should perform the work instead
Answer & reasoning
Correct: C
JIT provisioning with PAM supports emergency access through expedited approval workflows — often called “break-glass” procedures. The access is granted quickly but with controls: it is time-limited, automatically revoked when the window expires, and the entire session is recorded for post-incident review. Standing access (A) defeats the purpose of JIT. Denying emergency access (B) prevents incident response. Relying on another person (D) may not be feasible during a critical incident.
Question 10
An intelligence agency needs an access control system where users cannot override or modify access decisions, data is labeled by classification level, and information flow between classification levels is prevented by the system itself. Users with Secret clearance must not be able to read Top Secret documents or write information to Unclassified systems.
Which access control model and enforcement mechanism is required?
A. RBAC with separation of duties constraints
B. ABAC with classification attributes and flow control policies
C. DAC with strict ACL management and monitoring
D. MAC with Bell-LaPadula enforcement for confidentiality and system-level information flow controls
Answer & reasoning
Correct: D
The scenario describes the textbook MAC environment: system-enforced access control, classification labels, clearance levels, and information flow restrictions. Bell-LaPadula’s “no read up, no write down” directly prevents the specific violations described. RBAC (A) does not enforce label-based information flow. ABAC (B) could theoretically model this but MAC is the established standard for multi-level security. DAC (C) allows users to override access decisions, violating the stated requirement.