CISA Certified Information Systems Auditor – Question1470

An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?

A.
User-level permissions
B. Role-based
C. Fine-grained
D. Discretionary

Correct Answer: B

Explanation:

Explanation:
Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user’s role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise.
Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.