I'm synthesizing, not memorizing and trying to stay "a mile wide and inch deep" as my focus. With that being said... what's the difference between Non-RBAC and DAC? You said "instead of having roles, we simply go to a direct grant to the user so it's bypassing the concept of roles." Thought being, on the exam they describe does not offer centrally managed roles and users can directly modify the ACL.... how do you know if that's DAC or Non-RBAC? (sorry, I've had a lot of time to study these past two days). Hopefully I'm staying a mile wide and inch deep on this one.
CISSP - Non-RBAC
Non-RBAC vs. DAC... Let's see:
Yes, Non-RBAC is a grant directly to the user, instead of based on a role.
Yes, DAC does allow for assignment to a user, but could also allow for assignment based on a role or a group, if the owner was so inclined, and they existed in the directory service, or the local machine where the resource was homed.
Also, keep in mind that as I define DAC in the episode:
Discretionary Access Control (DAC) - placed on data by the owner of the data. The owner determines who has access to the data and what privileges they have. The data owner has the power to determine who can (and cannot) access the data based on the business requirements and constraints affecting the owner. While the owner never has the ability to ignore, or contradict the organization’s access control policies, he or she has the ability to interpret those policies to fit the specific needs of his or her system and his or her users.
In other words, Non-RBAC is the absence of a role based assignment, while DAC could involve the use of a role based or group or individual user based assignment.
Hope that helps to clarify.