A rapidly growing organization's server administration team is finding it difficult to manage permissions. Currently, permissions are assigned directly to each user account. This has become error-prone and inefficient, especially when employees change departments or leave the company. To improve security and simplify administration, the IT manager wants to implement a system where access rights are assigned based on job titles such as 'Help Desk Analyst', 'System Administrator', and 'Backup Operator'. Which of the following access control models best fits this requirement?
The correct answer is Role-Based Access Control (RBAC). RBAC is an access control model where permissions are assigned to roles rather than to individual users. Users are then assigned to the appropriate role (e.g., 'System Administrator') and inherit the permissions associated with that role. This approach directly solves the scenario's problem by streamlining the management of permissions based on job functions, which simplifies onboarding, role changes, and offboarding.
Rule-Based Access Control (RuBAC) is incorrect because it grants access based on a set of rules, such as time of day or location, not on a user's job function.
Mandatory Access Control (MAC) is incorrect as it is a much stricter, non-discretionary model based on security classifications (e.g., clearance levels like 'Top Secret'), which is not what the scenario describes.
Discretionary Access Control (DAC) is incorrect because it allows resource owners to determine access. The scenario describes moving away from this individual, ad-hoc assignment model toward a more structured, centralized one.