Which access control model best fits a banking system where access decisions depend on subject role, transaction amount, time of day, and source IP?
A CISSP practice question covering Domain 5: Identity and Access Management (IAM). Try answering before reading the explanation below.
Show options & answer
Why "ABAC — Attribute-Based Access Control" is the right answer
ABAC evaluates rules over multiple attributes of subject, object, action, and environment — exactly the multi-factor decision described. RBAC is role-only. DAC is owner-discretion. MAC uses fixed labels and is too rigid for dynamic context like time of day.
Study videos for this topic
Want to go deeper on Domain 5? Watch the full breakdown — every video is free, no account, no upsell.
CISSP Domain 5: Authentication, MFA & Passkeys
Domain 5 — Identity and Access Management (IAM)
CISSP Domain 5: SSO, SAML, OAuth, OIDC & Kerberos
Domain 5 — Identity and Access Management (IAM)
CISSP Domain 5: DAC, MAC, RBAC, ABAC Explained
Domain 5 — Identity and Access Management (IAM)
CISSP Domain 5: Identity Lifecycle & PAM Explained
Domain 5 — Identity and Access Management (IAM)
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.