Chapter 97 · Quiz

Access Controls — Quiz

Six multiple-choice questions and four matching questions. Submit for instant scoring and explanations.

Question 1 of 6
A government agency operates a classified system where data is labeled Confidential, Secret, or Top Secret. Users are assigned clearance levels that match or exceed the data they can access. The system administrator assigns all labels, and users cannot modify any label even on files they created. Which access control model is in use?
Question 2 of 6
An employee creates a shared folder on their workstation and adds specific colleagues to the folder's permission list. Later, they share the folder with a third colleague without asking IT or management. Which access control model is this, and what is its primary weakness?
Question 3 of 6
A new employee joins the Sales department. The IT administrator adds them to the “Sales Representatives” Active Directory security group. The employee immediately gains access to the CRM system, the sales analytics dashboard, and the customer database without any additional individual permission grants. What access control model explains this behavior?
Question 4 of 6
A financial company's access policy states: “Allow access to the trading platform only from IP addresses in the 172.16.0.0/16 range, only on weekdays, and only between 7 AM and 8 PM.” This policy is enforced by the system automatically for every access attempt. Which access control model does this represent?
Question 5 of 6
A healthcare organization implements an access control system where a doctor's access to patient records depends on: (1) their role (physician, not admin staff), (2) whether the patient is assigned to them, (3) the time of day (no access between midnight and 6 AM), (4) the network they are connecting from (hospital VPN required), and (5) whether they are performing a read or write operation. Access decisions change based on any of these factors changing. Which access control model is this?
Question 6 of 6
A call center employee who works 9 AM to 5 PM has their account configured so that login attempts outside those hours are rejected, even if the correct password is provided. An attacker who steals the employee's password attempts to log in at 2 AM and is denied. What access control mechanism blocked the attacker?

Matching

Match each description to the correct access control model.

1. Access control where the operating system enforces access based on security classification labels assigned by an administrator; users cannot modify labels even on files they own
2. Access control where the resource owner determines who can access their resources; default model in most commercial operating systems; security depends on owner decisions
3. Access control where users receive access rights by being assigned to roles or groups; access is implicit through group membership rather than individually granted
4. Access control where multiple simultaneous attributes from the subject, object, environment, and action are evaluated to make dynamic, context-aware access decisions
A. MAC (Mandatory Access Control)
B. DAC (Discretionary Access Control)
C. RBAC (Role-Based Access Control)
D. ABAC (Attribute-Based Access Control)