Practice SSCP Access Controls questions with full explanations on every answer.
Start practicing
Access Controls — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security administrator is implementing an access control model that assigns permissions based on the clearance of the subject and the classification of the object. Which model is being implemented?
2Which access control model enforces the principle of least privilege by granting permissions based on job functions and requires separation of duties?
3An organization requires users to authenticate using a password and a one-time code from a mobile app. Which authentication method is being used?
4A company is implementing a Single Sign-On (SSO) solution that uses XML-based assertions to exchange authentication and authorization data between an identity provider and a service provider. Which protocol is being used?
5An organization wants to ensure that privileged accounts are used only when needed and that all activities are recorded. Which Privileged Access Management (PAM) control should be implemented?
6A security analyst is evaluating a biometric system. The system currently has a high number of false rejections. Which metric is most directly related to this issue?
7A user claims to be 'jsmith' and provides a password. What is the term for the step where the system verifies that the password matches the one on file for 'jsmith'?
8An organization uses Kerberos for single sign-on. When a user logs in, they receive a Ticket Granting Ticket (TGT). What is the primary purpose of the TGT?
9A security administrator needs to implement an access control model that grants access based on attributes of the user, resource, and environment, using policy rules. Which model is most appropriate?
10In a federated identity scenario, a user authenticates to their home domain and accesses a resource in a partner domain. The partner domain trusts the authentication performed by the home domain. What is the home domain's role in this trust relationship?
11A security engineer is designing a system that must ensure data integrity at all costs, even if it means sacrificing availability. Which access control model and corresponding principle should be applied?
12An organization is implementing a password policy that requires passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 90 days. Additionally, users cannot reuse any of the last 10 passwords. Which password policy element does the last requirement address?
13A company is implementing an access control system for a high-security environment. Which TWO of the following are characteristics of Mandatory Access Control (MAC)?
14An organization is planning to implement a Single Sign-On (SSO) solution. Which THREE of the following are commonly associated with SSO technologies?
15A security auditor is reviewing the account lifecycle process. Which TWO of the following are mandatory steps during the deprovisioning (offboarding) process?
16A security administrator is implementing an access control system that uses sensitivity labels on subjects and objects. The policy dictates that a subject can only read objects with a label equal to or lower than the subject's clearance, and can only write to objects with a label equal to or higher than the subject's clearance. Which access control model and principle is being enforced?
17An organization uses Kerberos for SSO. A user reports that after entering their password, they receive a 'ticket expired' error when trying to access a network share. The system administrator checks the Kerberos configuration. Which ticket is most likely expired?
18An organization is implementing a federated identity system to allow employees to access a partner's cloud application using their corporate credentials. The solution must support single sign-on and use XML-based assertions. Which technology should be used?
19Which term describes the process of verifying the identity of a user, system, or entity?
20A company is implementing a biometric authentication system for physical access to a data center. The system must minimize false acceptances. Which metric is most directly related to false acceptance rate (FAR)?
21A security analyst is reviewing access controls for a database server. The database administrator has granted all users in the 'sales' role SELECT, INSERT, UPDATE, and DELETE permissions on the 'orders' table. Which access control principle is being violated?
22An organization uses an ABAC system to control access to documents. Policies are defined using attributes such as user department, document classification, and time of day. Which of the following is an example of an ABAC policy rule?
23Which of the following is a common method for implementing multi-factor authentication (MFA) using something you have and something you know?
24An IT administrator needs to deprovision a user who has been terminated. Which of the following actions should be performed first to ensure security?
25Which access control model allows the owner of a resource to determine who can access it and what permissions they have?
26A company implements a password policy requiring a minimum length of 12 characters, including uppercase, lowercase, digits, and special characters. Passwords must be changed every 90 days, and the last 10 passwords cannot be reused. After a brute-force attack, several accounts were compromised despite the policy. Which additional control would most effectively mitigate such attacks?
27What is the primary purpose of a Privileged Access Management (PAM) solution?
28A security architect is designing an access control system for a healthcare application. The system must ensure that a nurse can view patient records but cannot modify them, and that a doctor can both view and update records. Additionally, the system must prevent a single user from both ordering a medication and approving its administration. Which TWO access control principles are being applied? (Select TWO.)
29A company is migrating to a cloud-based SaaS application and wants to implement federated identity. Users will authenticate using their existing corporate Active Directory credentials. Which THREE components are essential for a SAML-based federation? (Select THREE.)
30An organization is reviewing its account lifecycle management process. Which TWO activities are part of the provisioning phase? (Select TWO.)
31Which access control model allows the owner of a resource to grant access permissions to other users?
32A security administrator is configuring password policies to meet compliance. Which combination of settings provides the strongest protection against brute-force attacks?
33In a Bell-LaPadula model implementation, a user with a Secret clearance attempts to read a document classified as Top Secret. Additionally, they try to write to a document classified as Unclassified. What are the results of these actions?
34Which authentication method uses a time-based one-time password (TOTP) generated by a hardware or software token?
35An organization implements RBAC to enforce separation of duties. Which of the following is a key benefit of using role-based access control in this context?
36During a security audit, it is discovered that a service account has been used to log in interactively to a server. The account was originally provisioned only for running a background service. Which PAM (Privileged Access Management) control would best prevent such misuse in the future?
37Which of the following best describes the concept of accountability in access controls?
38A biometric system has a high false rejection rate (FRR). Which of the following is a likely consequence?
39In a federated identity environment using SAML, what is the role of the Identity Provider (IdP) when a user requests access to a service provider (SP)?
40Which of the following is the correct order of the access control process?
41An organization uses OAuth 2.0 for delegated access to a cloud storage API. A third-party application requests an access token to read user files. What is the primary purpose of the access token in OAuth?
42During a user offboarding process, the security team must ensure that the former employee's access is revoked immediately. However, the user's manager requests that the account remain active for a week to review files. What is the BEST practice?
43A company is implementing single sign-on (SSO) for its internal applications. Which TWO of the following protocols are commonly used for SSO?
44An organization wants to implement separation of duties to reduce the risk of fraud. Which THREE of the following are common techniques used to enforce separation of duties?
45A security architect is designing an access control system for a healthcare application that requires fine-grained access decisions based on user role, location, time of day, and patient consent. Which TWO access control models are best suited for this requirement?
46Which access control model allows the owner of a resource to determine who can access it and what privileges they have?
47An organization implements a policy requiring passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 60 days. Which password policy elements are being enforced?
48In a biometric system, the point at which the false rejection rate (FRR) equals the false acceptance rate (FAR) is known as the:
49An organization uses Kerberos for single sign-on (SSO) within its Windows domain. Which component issues ticket-granting tickets (TGTs) after verifying user credentials?
50Which access control model enforces security based on classification labels assigned to subjects and objects, commonly used for confidentiality?
51A security administrator is configuring a system to enforce separation of duties. In which access control model is this principle most directly implemented?
52An organization uses smart cards with PKI certificates for authentication. Users must insert the card and enter a PIN. This is an example of which authentication method?
53Which federated identity protocol uses XML-based assertions and provides single sign-on across different security domains?
54What is the primary purpose of account deprovisioning in the account lifecycle?
55An organization has implemented a PAM solution for managing privileged accounts. Which feature allows administrators to request temporary elevated access for a specific task?
56In an OAuth 2.0 authorization flow, a client application receives an access token. This token is used to:
57A security analyst notices that a service account has been granted domain administrator privileges. Which principle of access control is being violated?
58A company wants to implement multi-factor authentication (MFA) for remote access. Which TWO of the following are examples of different authentication factors? (Choose TWO.)
59An organization is designing an access control policy for a new system. Which THREE of the following are fundamental principles that should be incorporated? (Choose THREE.)
60Which TWO of the following are characteristics of the Biba integrity model? (Choose TWO.)
61Which access control model allows the owner of a resource to grant permissions to others?
62An organization wants to implement multi-factor authentication (MFA) for remote access. Which combination represents something you have and something you are?
63In a Kerberos environment, what is the primary function of the Ticket Granting Ticket (TGT)?
64An organization implements a Privileged Access Management (PAM) solution. Which capability best describes granting temporary administrative rights just when needed?
65What is the primary purpose of account deprovisioning?
66In the Bell-LaPadula model, which property prevents a subject from reading an object at a higher classification level?
67An Identity Provider (IdP) sends an XML-based assertion to a Service Provider (SP) to grant access. Which federated identity standard is being used?
68A security analyst notices that a user's account was used to access sensitive files after the user had left the company. Which access control principle was most likely violated?
69Which authentication method generates a one-time password that is valid for only a short time window?
70In Role-Based Access Control (RBAC), what is the purpose of role hierarchy?
71An organization uses ABAC to control access to a document. Which attribute combination would be used to allow access only during business hours from a managed device?
72What is the primary risk associated with service accounts in an enterprise?
73An organization is planning to implement multi-factor authentication. Which TWO of the following are valid authentication factors?
74A security administrator is designing an identity federation solution. Which THREE of the following are commonly used federation standards?
75During an access control audit, you find that a user has been assigned to two mutually exclusive roles. Which TWO principles are most likely violated?
76A security administrator is configuring a new system and wants to enforce a mandatory access control model to ensure confidentiality of classified data. Which access control model should the administrator implement?
77An organization is implementing a privileged access management (PAM) solution. Which THREE of the following are common PAM capabilities?
78A company is adopting a role-based access control (RBAC) model. Which TWO principles are fundamental to RBAC?
79A security analyst is investigating an account compromise. The organization uses Kerberos for single sign-on. Which TWO of the following would help in tracking the source of the compromise?
80An organization is implementing multi-factor authentication (MFA). Which TWO of the following are examples of something you have?
81A security engineer is designing a federated identity solution for cross-domain authentication. Which THREE of the following technologies are commonly used?
The Access Controls domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 81 questions in the Access Controls domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Access Controls domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included