If you have studied for the SY0-701 exam for more than a week, you can probably recite the four access control models in your sleep. Discretionary, mandatory, role-based, attribute-based. The problem is that the exam almost never asks you to define DAC. It hands you a three-sentence workplace scenario and expects you to name the model that fits. That is a completely different skill, and it is where a lot of otherwise-prepared people lose easy points.
Here is the way I learned to read these questions, plus the two traps that catch most folks.
The four models, one line each
Strip the textbook language down to the single decision each model makes about who gets access.
- DAC (Discretionary Access Control): the owner of the resource decides. If a person can grant other people access to a file they created, that is discretionary. Standard file permissions on Windows and Linux work this way.
- MAC (Mandatory Access Control): the system decides, based on labels and clearances. Users cannot hand out access even if they want to. This is the classified-data model: Top Secret, Secret, Confidential.
- RBAC (Role-Based Access Control): access follows the job. You are a Nurse or an Accountant, and the role carries the permissions. A new hire in that role inherits the same access on day one.
- ABAC (Attribute-Based Access Control): access is evaluated from attributes and conditions at request time. Department, device type, time of day, location. Allow if the user is in Finance AND on a managed laptop AND inside business hours.
That is the knowledge half. Now the exam half.
The scenario tells you the model. Find who decides.
Almost every access control question hides the answer in one phrase. Train yourself to hunt for who is making the decision.
- "The file's creator can choose to share it with a coworker." Someone owns it and chooses, so that is DAC.
- "Access is governed by security labels and a central policy that users cannot override." Labels plus no override is MAC.
- "When an employee moves from Sales to Support, their access changes to match the new position." Access tied to position is RBAC.
- "Access is granted only if the user is a manager, on a corporate device, connecting from the office network." A stack of conditions is ABAC.
The vocabulary repeats. Owner and discretion point to DAC. Labels and clearance point to MAC. Job title or position points to RBAC. A list of if-conditions points to ABAC.
Trap one: RBAC vs ABAC
This is the pair that separates careful readers from the rest, so the exam leans on it hard. Both can produce the same outcome.
The tell is whether access depends on a single thing (the role) or on several things evaluated together (attributes). "A billing clerk can access billing records" is role driven, so RBAC. "A billing clerk can access billing records only during their shift and only from the office" added time and location, which are attributes, so the better answer is ABAC.
When a question stacks two or more conditions that are not just the job title, the writers are steering you toward ABAC. When it is purely this role gets this access, stay with RBAC.
Trap two: rule-based is not role-based
Read slowly. Rule-based access control applies the same rule to everyone regardless of identity. A firewall that blocks all traffic on a port after 6 PM is rule-based. It sounds almost identical to role-based out loud, and the exam knows it. If the control applies to everyone by a fixed rule rather than by who you are, it is not RBAC.
How to actually drill this
Definitions you can passively reread. Scenario matching you have to practice actively, because the skill is parsing the sentence, not reciting the term. The habit that helped me most was reading the question, then checking why each wrong option was wrong, since the distractors teach you the boundary between two models better than any definition does.
If you want a stack of practice questions and reading lessons mapped to the SY0-701 objectives, that is what I built secplusmastery.com around. There is also a free diagnostic at secplusmastery.com/diagnostic that scores you by domain, so you can tell whether access control is genuinely a weak spot for you or just felt like one.
The one habit that helps most
Before you pick an answer on any access control question, say out loud who or what is making the access decision. The owner, the system labels, the job role, or a set of attributes. That one question collapses four intimidating models into a short decision, and it turns a category of tricky questions into some of the most reliable points on the exam.
Top comments (0)