top of page

Access Control: Non-Discretionary

You might see a lot of questions on the CISSP exam about rule-based and role-based access.

Firewalls are an example of rule-based access.

Active Directory user profiles are a form of role-based access.

Role and Rule-based controls are called Non-Discretionary controls.

8 years ago when I was just a junior systems administrator, the IT Director provisioned me a new desktop computer networked to Active Directory.

I wanted to immediately change the desktop wallpaper to a picture of Chewbacca playing the drums in a giant rock band with Han Solo as the lead guitarist, while Darth Vader floats down onto the stage, and Princess Leia belching out the vocals.

But I couldn’t.

I couldn’t change the desktop wallpaper, I couldn’t change the system time, couldn’t access cmd.exe, or change my password.

At first, I thought this was a show of force by the Director. A form of centralized access control made by a player who has played the game longer and knows the tricks and strategies to best a rookie junior administrator.

Now as a security engineer, I realized the IT Directory didn’t grant me the ability to change the system time because it would interfere with NTP (protocol to maintain date and time), or distribution of encrypted session keys.

Quite simply, non-discretionary access controls are ones that are not at the discretion of the user. They are global rules, they apply to mostly everyone, so don’t feel bad : )


bottom of page