Access Control Design Workshop

Access Control as a Story

Access Control Concepts is 22 percent of the CC exam, and questions arrive as workplace stories. A new employee needs access today. A contractor needs temporary access. A database administrator can both approve and deploy changes. A terminated employee still has a VPN account. A manager wants broad access "just in case." Your task is to design access that supports work without creating unnecessary exposure.

Lab Scenario

A regional training company has four teams: instructors, finance, student support, and IT. Instructors need course materials and attendance rosters. Finance needs invoices and payment records. Student support needs student contact details and case notes. IT needs administrative access to maintain systems but should not casually view student financial records. Contractors help for 30 days during enrollment season. Two problems already occurred: former contractors retained access, and a finance employee accidentally changed course materials.

Access Design Table

Identification Through Accountability

These four terms are favorite distractor swaps. Identification is claiming an identity, such as a username. Authentication proves the claim, such as a password plus MFA. Authorization determines what the authenticated subject may do. Accountability ties actions back to identities through logging, monitoring, and review. Shared accounts break accountability because no action can be traced to one person.

MFA is valuable but partial. If every MFA user is dropped into a broad administrator group, authentication improved while authorization failed. If logs exist but no one reviews privileged changes, accountability is weak. A complete design uses all four pieces together.

RBAC, ABAC, DAC, and MAC

Role-based access control (RBAC) assigns permissions to roles such as Instructor, Finance Analyst, or Help Desk Technician; it shines when job functions are stable. Attribute-based access control (ABAC) uses attributes such as department, device compliance, location, time, data sensitivity, or employment status, fitting dynamic decisions like "allow payroll access only from managed devices during business hours." Discretionary access control (DAC) lets resource owners decide who may access their objects.

Mandatory access control (MAC) enforces central labels and clearances; it is uncommon in ordinary business scenarios but conceptually important and a frequent multiple-choice option.

PBQ-Style Drill

If a prompt asks you to place users into groups, start from the job function and then strip exceptions. Do not grant IT blanket business-data access just because IT administers systems. Use separate privileged accounts for administrative work and normal accounts for email and browsing. Require MFA for remote access and privileged roles. Disable accounts promptly when employment or contracts end. Recertify membership for sensitive systems.

For the training company, create roles for Instructor, Finance, Student Support, IT Admin, and Contractor Support. Give Contractor Support an expiration date and limited case access. Finance should not edit course materials, which also prevents the accidental change that already occurred. Instructors should not see payment details. IT Admin should hold platform-administration rights with logging and approval for sensitive actions. That design is far more defensible than one "staff" group with broad access.

Authentication Factors and Account Lifecycle

CC tests the three authentication factor categories, and combining factors from different categories is what makes MFA strong:

• Something you know — a password, PIN, or passphrase.
• Something you have — a hardware token, smart card, or phone authenticator app.
• Something you are — a biometric such as a fingerprint, face, or iris.

Two passwords are not MFA because both come from the same category. A password plus a one-time code from a token is MFA because it spans "know" and "have." The training-company design should require MFA for remote access and all privileged roles.

The account lifecycle is a frequent scenario theme: provisioning grants access at hire or contract start, periodic reviews confirm access still matches the role, and deprovisioning removes access promptly at termination or contract end. Both incidents in the scenario trace to lifecycle failures — contractors who kept access (missing deprovisioning) and a finance user who could edit course content (over-provisioning). Quarterly recertification and time-bound contractor accounts close both gaps.

Common Traps

When an answer says "give everyone access so work is not delayed," reject it unless the question explicitly describes a temporary, approved, reviewed emergency procedure. Watch for options that improve authentication (MFA) while ignoring over-broad authorization, that rely on shared credentials, that call two passwords "multi-factor," or that leave terminated and contractor accounts active. Security supports the business, but routine convenience never overrides least privilege, need to know, or separation of duties.