Practice CC Access Controls Concepts questions with full explanations on every answer.
Start practicing
Access Controls Concepts — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?
2A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?
3Which access control model uses subject and object labels to enforce access based on a security policy?
4A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?
5An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?
6Which TWO are characteristics of Role-Based Access Control (RBAC)?
7Which THREE are valid methods for authenticating a user in an access control system?
8You are the security administrator for a mid-sized e-commerce company. The company uses a Linux-based web server running Apache, with a MySQL database backend. User authentication is handled via LDAP. Recently, the security team discovered that a former employee's account was used to access the customer database two weeks after the employee was terminated. The account had not been disabled. The database contains personally identifiable information (PII). The incident was traced to an internal IP address from the marketing department. The marketing department's network segment is not segregated from the database server. Additionally, the database server's firewall rules allow any internal IP to connect to the MySQL port (3306). The company has a written policy that accounts must be disabled within 24 hours of termination, but the HR department did not notify IT in a timely manner. Which combination of controls would BEST prevent a recurrence of this incident?
9A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?
10A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)
11Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?
12Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.
13Drag and drop the steps to implement a firewall rule allowing inbound HTTPS traffic into the correct order.
14Match each security control type to its description.
15Match each authentication factor to an example.
16A system administrator needs to grant a user the ability to read files in a specific folder but not modify them. Which access control principle should be applied?
17A financial company requires that any transaction over $10,000 must be approved by two different managers before being processed. This is an example of which access control principle?
18During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?
19An organization implements an access control system where users are assigned to groups, and permissions are granted to groups rather than individuals. This is known as:
20A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?
21In a defense-in-depth strategy, which access control mechanism provides the most granular control over user permissions?
22Which access control model allows the owner of a resource to decide who can access it?
23A system administrator notices that a user has been granted read and write permissions to a folder but should only have read access. Which type of access control issue does this represent?
24When implementing a role-based access control (RBAC) system, what is the primary challenge organizations face?
25An organization is implementing a new access control system based on the principle of least privilege. Which two of the following practices are essential to achieving least privilege? (Select TWO)
26A security analyst is troubleshooting an access control issue where a user cannot access a file even though they seem to have the correct permissions. Which three of the following should the analyst investigate? (Select THREE)
27Which two of the following are examples of physical access controls? (Select TWO)
28Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?
29Refer to the exhibit. A user from the Auditors group is unable to access the folder. What is the most likely cause?
30Refer to the exhibit. A user with this policy tries to list objects in bucket1 but gets an access denied error. What is the most likely reason?
31A company needs to enforce access based on attributes such as time of day and location. Which access control model is most appropriate?
32An organization wants to ensure that no single employee can both request and approve a payment. Which access control principle does this enforce?
33In a MAC environment implementing Bell-LaPadula, a subject with Secret clearance attempts to read an object classified as Confidential and write to an object classified as Top Secret. Which operations are permitted?
34Which authentication factor does a smart card represent?
35After a reorganization, a company using RBAC finds that many users have accumulated permissions that no longer align with their job functions. What is the best practice to address this?
36In a Bell-LaPadula MAC model, which of the following operations is prohibited?
37What is the primary purpose of identification in the context of access control?
38Which component of the AAA framework determines what resources an authenticated user can access?
39In a typical Windows environment, which access control model is used for managing file permissions?
40Based on the exhibit, which statement about the access control list is true?
41An IAM policy is shown in the exhibit. Which action is permitted for the attached user?
42The exhibit shows recent authentication logs. What type of attack is most likely indicated?
43Which TWO of the following are examples of physical access controls?
44Which TWO scenarios best illustrate the principle of least privilege?
45Which THREE components are part of the AAA framework?
46A help desk technician needs to reset a user's password, but the security policy requires that the technician does not know the new password. Which access control concept prevents the technician from knowing the password?
47An organization implements a policy where users must swipe their ID card and enter a PIN to access a secure room. This is an example of which access control principle?
48After a security audit, a company discovers that several employees have access to financial systems that are not required for their job roles. Which access control model would best prevent this issue in the future?
49A system administrator needs to grant a contractor temporary access to a server for patching. The contractor should only have access during the patching window. Which access control implementation method is most appropriate?
50A company uses a mandatory access control (MAC) system where all files are labeled 'Confidential', 'Secret', or 'Top Secret'. A user with 'Secret' clearance tries to read a 'Top Secret' file. What is the outcome?
51An organization wants to implement a system that enforces access decisions based on a user's attributes (e.g., department, clearance, time) and environmental conditions. Which model is best?
52Which TWO are examples of technical access controls?
53Which TWO are principles of access control?
54Which THREE are examples of administrative access controls?
55A financial firm has a data center with strict access controls. Employees must use smart cards and PINs to enter a mantrapped entrance. Recently, an unauthorized person gained access by following an employee through the mantrapped door (tailgating). The security team reviews logs and finds that the door was opened twice in quick succession, indicating tailgating occurred. The firm wants to implement a solution that prevents tailgating without slowing down authorized access. Which action should they take?
56A hospital uses role-based access control (RBAC) for its electronic health records. Nurses can view patient records; doctors can view and edit; administrators can only view administrative data. Recently, a nurse was able to edit a patient's record, which should only be allowed for doctors. The investigation finds that the nurse's role was incorrectly assigned a 'doctor' role due to a misconfiguration. To prevent recurrence, the access control system should be reviewed. Which is the best long-term solution?
57A small business uses a cloud file storage service that allows sharing links. An employee mistakenly shared a folder containing customer data via a public link. The business wants to prevent such incidents in the future without blocking legitimate sharing. Which access control method should they implement?
58A government agency uses a multi-level security system with mandatory access control (MAC). A user with Secret clearance attempts to write data to a file classified as Confidential. Under the Bell-LaPadula model, which rule applies and what is the outcome?
The Access Controls Concepts domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 58 questions in the Access Controls Concepts domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Access Controls Concepts domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included