A nondiscretionary access control technique based on a set of operational rules or restrictions to enforce a least privileges policy is known as which?

• A. Access Control List
• B. Least Privilege
• C. Attribute-Based Access Control (ABAC)
• D. Rule-Based Access Control

Answer: (D)

Rule-Based Access Control relies on a fixed set of operational rules that determine whether a subject can access a resource. Because decisions come from these predefined rules rather than user discretion, this approach is nondiscretionary and supports a least-privilege posture: access is granted only when the rules permit it, often considering conditions like time, location, or authentication level. This makes it the best fit for a description centered on a rule-driven mechanism enforcing restricted rights across the board. Access Control Lists are discretionary, letting owners grant permissions; Least Privilege is a guiding principle, not a mechanism; ABAC uses attributes and policies and can be rule-driven, but the standard terminology for a system defined by a fixed rule set is Rule-Based Access Control.