SSCP · topic practice

Access Controls practice questions

Use this page to practise ACL questions. The most common mistake is ignoring ACL direction — an ACL applied inbound and outbound behaves very differently even with identical rules.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Access Controls

What the exam tests

What to know about Access Controls

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement on the correct interface.

Watch out for

Common Access Controls exam traps

  • ACLs are processed from top to bottom; the first match wins.
  • There is an implicit deny at the end of every ACL.
  • Standard ACLs match source only; extended ACLs can match protocol, source, destination and ports.
  • Applying an ACL in the wrong direction makes a correct ACL look broken.

Practice set

Access Controls questions

20 questions · select your answer, then reveal the explanation

A system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?

Question 2mediummultiple choice
Read the full Access Controls explanation →

An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?

During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?

Question 4easymultiple choice
Read the full NAT/PAT explanation →

An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?

Question 5mediummultiple choice
Read the full Access Controls explanation →

A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:

An organization is implementing an access control system where access decisions are based on the sensitivity of the resource and the clearance of the user. Which model is being used?

A security policy requires that all access to sensitive data be logged. Which access control function does this support?

Question 8mediummultiple choice
Read the full Access Controls explanation →

A user reports that they cannot access a network share. The administrator checks the share permissions and NTFS permissions. The share permission allows Everyone: Read, and the NTFS permission allows the user: Full Control. What is the user's effective access?

An organization wants to implement a centralized authentication system that supports single sign-on and uses tickets. Which technology should they choose?

Which TWO of the following are examples of biometric authentication? (Choose two.)

Which THREE are appropriate controls to prevent unauthorized access to a data center? (Choose three.)

Question 12easymulti select
Study the full AAA explanation →

Which TWO are components of the AAA framework? (Choose two.)

Question 13hardmultiple choice
Read the full VPN explanation →

You are the security administrator for a healthcare organization that uses a Windows Active Directory domain. The organization has recently implemented a new electronic health record (EHR) system that requires users to authenticate before accessing patient data. The EHR system uses Kerberos for authentication. Users report that they can access the EHR system from their office workstations, but when they attempt to access it remotely via VPN, they receive an 'Access Denied' error. The VPN uses RADIUS for authentication and assigns IP addresses from a separate subnet. The EHR server is in the same domain as the workstations. You verify that the users are able to connect to the VPN successfully and can access other internal resources. What is the most likely cause of the issue?

Question 14mediummultiple choice
Read the full Access Controls explanation →

You are a security analyst at a financial institution. The company uses a role-based access control (RBAC) system for its internal banking application. Recently, the compliance team discovered that a teller, who should only have access to customer account information for their branch, was able to view account details for customers in other branches. The RBAC system assigns roles based on job titles. You review the configuration and find that the 'Teller' role has a permission that allows viewing all customer accounts, regardless of branch. The company wants to enforce branch-level restrictions. Which of the following is the best approach to address this issue?

Drag and drop the steps for configuring a Windows Firewall rule to allow inbound RDP traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each authentication factor to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Something you know

Something you have

Something you are

Something you do

Question 17easymultiple choice
Read the full Access Controls explanation →

A help desk technician needs to reset a user's password but should not be able to modify other user attributes. Which access control principle should be applied to enforce this restriction?

Question 18mediummultiple choice
Read the full Access Controls explanation →

A company uses role-based access control (RBAC). A user is assigned to the 'Sales' role, which grants access to CRM and reporting, and also to the 'Sales Manager' role, which grants additional access to team reports. However, the user cannot access team reports. What is the most likely cause?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

An organization implements an attribute-based access control (ABAC) system with the following policy: if user.role == 'doctor' and resource.type == 'patient_record' and environment.time between 08:00-18:00 then permit. A doctor tries to access a patient record at 20:00. What is the result?

Question 20easymultiple choice
Read the full Access Controls explanation →

Which access control model is best suited for a military environment where data classification (Unclassified, Confidential, Secret, Top Secret) and subject clearance levels are the primary factors for access decisions?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Access Controls sessions

Start a Access Controls only practice session

Every question in these sessions is drawn from the Access Controls domain — nothing else.

Related practice questions

Related SSCP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SSCP exam test about Access Controls?
ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Access Controls questions in a focused session?
Yes — the session launcher on this page draws every question from the Access Controls domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SSCP topics?
Use the topic links above to move to related areas, or go back to the SSCP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SSCP exam covers. They are not copied from any real exam or dump site.