Access Control: Non-Discretionary

You might see a lot of questions on the CISSP exam about rule-based and role-based access.

Firewalls are an example of rule-based access.

Active Directory user profiles are a form of role-based access.

Role and Rule-based controls are called Non-Discretionary controls.

8 years ago when I was just a junior systems administrator, the IT Director provisioned me a new desktop computer networked to Active Directory.

I wanted to immediately change the desktop wallpaper to a picture of Chewbacca playing the drums in a giant rock band with Han Solo as the lead guitarist, while Darth Vader floats down onto the stage, and Princess Leia belching out the vocals.

But I couldn’t.

I couldn’t change the desktop wallpaper, I couldn’t change the system time, couldn’t access cmd.exe, or change my password.

At first, I thought this was a show of force by the Director. A form of centralized access control made by a player who has played the game longer and knows the tricks and strategies to best a rookie junior administrator.

Now as a security engineer, I realized the IT Directory didn’t grant me the ability to change the system time because it would interfere with NTP (protocol to maintain date and time), or distribution of encrypted session keys.

Quite simply, non-discretionary access controls are ones that are not at the discretion of the user. They are global rules, they apply to mostly everyone, so don’t feel bad : )

STUDY RESOURCES

"How To Think Like A Manager for the CISSP Exam" 

Now available

on Amazon Kindle! 

As an Amazon Associate I earn from qualifying purchases.

As an Amazon Associate I earn from qualifying purchases.

MEMBERSHIP
  • 231+ CISSP VIDEOS
  • 700+ PRACTICE QUESTIONS
  • PDF NOTES
  • 1,250 FLASHCARDS
  • TELEGRAM GROUP
  • MONTHLY
    EMAIL UPDATES
  • $29.99 per month
  • $74.99 3-months
  • $144.99 6-months
CRACK THE EXAM
LEARN ABOUT

© 2013 Study Notes and Theory
Terms and Conditions/Privacy Policy

Proudly created to make you

a better security professional.