A server administrator is implementing a security policy for a critical database server. The policy dictates that administrative access is granted only if the following conditions are met:
The user is a member of the 'DBAdmins' group.
The access request originates from an IP address within the 10.1.2.0/24 subnet.
The access request occurs between 8:00 AM and 6:00 PM on weekdays.
Which access control model BEST describes this implementation?
The correct answer is Rule-based access control. This model grants or denies access based on a set of predefined rules configured by an administrator. In this scenario, the rules include the user's group membership, source IP address, and the time of day. Access is only permitted when all conditions (rules) are met.
Role-based access control (RBAC) is incorrect because, while a role ('DBAdmins') is used as one of the criteria, the policy is not based solely on the user's role. It includes additional environmental conditions like IP address and time, which are characteristic of a rule-based system.
Mandatory access control (MAC) is incorrect as it relies on security labels and classifications (e.g., Confidential, Secret) assigned to both subjects and objects, which are not mentioned in the scenario.
Discretionary access control (DAC) is incorrect because access is not determined by the resource owner. Instead, it is enforced by a centrally defined, system-wide policy.