Exercises: Authorization and Access Control
These exercises move from the vocabulary of access control to the judgment a real review demands. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.
Work in your own notebook or a private repository. Where an exercise asks you to design a role, score a risk, or write a policy, there is rarely one perfect answer; the reasoning matters more than the wording. Use documentation-only values (no real account names, no real wire amounts tied to a real bank).
Part A — Core vocabulary ⭐
1.† In one sentence each, define authentication, authorization, and accounting, then write one sentence that uses all three correctly in the story of an employee approving a wire transfer.
2. Classify each as relating primarily to authentication, authorization, or accounting: (a) a FIDO2 security key; (b) an RBAC role assignment; (c) a log entry "user X approved wire #4471"; (d) a password; (e) a segregation-of-duties rule; (f) a record of every file a user opened; (g) an ABAC policy requiring a managed device.
3. For each access-control model — DAC, MAC, RBAC, ABAC — state in one phrase who or what decides access, and give one real system or context where you have seen it.
4.† Define privilege creep in one sentence, then explain the "asymmetry of access granting" that drives it. Which lifecycle event (joiner, mover, or leaver) generates the most creep, and why?
5. Define segregation of duties (applied to access) and give two examples of high-risk actions (other than a wire transfer) that organizations commonly split across two people.
6. Distinguish a policy decision point from a policy enforcement point in one sentence each, and state which one must be unbypassable and which one holds the policy logic.
7. What is an access control matrix? Name the two ways real systems store it instead of a literal dense grid, and say which one is per-resource and which is per-subject.
Part B — Models & comparison ⭐⭐
8.† A requirement reads: "A nurse may read a patient's chart only if the nurse is assigned to that patient's ward, only during the nurse's shift, and only from a hospital-managed workstation." (a) Can pure RBAC express all three conditions? (b) Which model can, and which specific attributes does each condition rely on (subject / resource / environment)? (c) Sketch the rule in plain "permit if …" form.
9. Your team inherits a system using DAC (owners share resources at will) for a folder of sensitive loan documents. List three concrete risks this creates, and propose what you would change (you cannot abolish DAC at the OS level — work with it).
10.† Explain why "strong authentication makes weak authorization worse." Give a concrete two-line scenario where flawless MFA increases, rather than decreases, the damage of an over-permissioned account.
11. Meridian wants device-posture and time-of-day conditions on wire approvals but keeps job-function access in roles. Describe the "RBAC backbone + ABAC conditions" pattern and explain one advantage of this hybrid over pure ABAC for auditability.
12. SELinux on a Linux host and a military classified-document system are both called mandatory access control. In two or three sentences, explain what makes both "mandatory" despite operating on completely different kinds of subjects and objects.
Part C — Design the roles ⭐⭐–⭐⭐⭐
13.† Design it. A small credit union has these branch jobs: cashier (deposits/withdrawals), lead cashier (cashier + transaction reversals under a limit), member-services rep (open/close accounts, update member info), branch manager (approves exceptions, reads reports), and a back-office payments clerk (sets up and releases ACH payments). Design an RBAC role set: (a) define a base role; (b) use a role hierarchy where sensible; (c) identify at least one segregation-of-duties split you must build in, and say why. Present your answer as a role → permissions table.
14. Find the role explosion. An access export shows 47 roles for 60 employees. A sample:
Teller, Teller_v2, Teller_Jane, Teller_Reporting, Teller_West_Temp, Loan_Officer,
Loan_Officer_Backup_for_Sam. Diagnose what went wrong, name the condition, and describe how you would
consolidate these into a healthy role structure. Which design habit created the mess?
15. Take the Meridian branch role table from §17.3. The bank opens a new "small-business banker" job that needs everything a senior teller can do plus the ability to open business accounts and read (but not approve) wire queues. Add this role to the hierarchy without duplicating permissions, and state explicitly what it must not be allowed to do.
16. ⭐⭐⭐ A stakeholder demands a new role, Manager_Override, that "can do anything a manager might
ever need, just in case." Argue against this request in the language of least privilege and blast radius,
then propose a safer alternative that still lets managers handle genuine emergencies.
Part D — Find the privilege creep ⭐⭐
17.† Analyze this entitlement record. Here is one employee's accumulated role grants, with the year each was added (illustrative):
user: m.delgado
2019 Teller (hired)
2020 Senior_Teller (promoted)
2021 Branch_Ops (6-week coverage; ticket says "temporary")
2022 Reporting_Admin (project "Atlas"; project closed 2022-Q4)
2024 Wire_Approver (covering an absent approver; still active)
current job title: Senior Teller
Known role contents: Senior_Teller includes reverse_txn; Branch_Ops includes initiate_wire;
Wire_Approver includes approve_wire. (a) Which grants are stale relative to the current job? (b)
Identify the toxic combination and explain why it is dangerous. (c) For each stale grant, name the
control that should have removed it.
18. Why will reviewing this employee's permissions one at a time fail to catch the problem in Exercise 17? Rewrite the review question so that it would catch it.
19.† A manager asks you to provision a new hire by "copying m.delgado's access so they can hit the ground running." Explain, in three sentences a non-technical manager would accept, why this is dangerous and what to do instead.
20. Propose a periodic-access-review cadence for a bank: which roles get reviewed quarterly, which annually, and what makes a review real rather than a rubber stamp. Tie each choice to risk.
Part E — Write the policy / rule ⭐⭐–⭐⭐⭐
21.† Write the policy. Draft a 4–6 bullet segregation-of-duties policy section for Meridian's access-control standard. It must: enumerate at least three forbidden permission combinations (wire initiate/approve being one); state that the combinations are blocked both at provisioning and at runtime; require self-approval prevention; and specify a review cadence. Use plain policy language.
22. Write the ABAC rule. Express, as a single "permit if …" policy with explicit conditions, the rule: "a loan officer may read a credit report only for an applicant whose branch matches the officer's branch, only from a managed device on the corporate network, only during business hours." Identify which attribute is subject, resource, or environment.
23.† Write the runtime check (pseudocode or Python). Using the authz.py shape from the chapter,
write a function can_approve_wire(approver, wire) that returns True only if: the approver's roles
grant approve_wire; the approver is not the same person who initiated the wire; and (if the amount
exceeds a threshold) a second, distinct approver is also recorded. Show a hand-traced expected output for
one allowed and one denied case. Do not execute it.
24. Harden the matrix. Given the (deliberately broken) access matrix below, list every change you would make to bring it into least privilege and segregation of duties, and justify each.
Role \ Resource | Customers | Txns | Wire:init | Wire:approve | Reports
Teller | read,open | create | - | - | read <-- ?
Senior_Teller | read,open | create,rev | initiate | approve | - <-- ?
Branch_Manager | read,open | create,rev | initiate | approve | read <-- ?
Intern | read,open | create | - | - | read <-- ?
Part F — Model the access matrix (analysis) ⭐⭐
25.† Read the matrix in Exercise 24 down the Wire:approve column and across the Branch_Manager
row. State, for each reading, exactly what question it answers and what concerning fact it reveals.
26. Convert this small access list into (a) the equivalent access-control-matrix row(s), and (b) a one-sentence capability description for the subject:
file: payroll.xlsx ACL: {alice: read, write; bob: read; payroll_role: read, write}
27. A reviewer says "ACLs and capabilities are just two ways of slicing the same matrix." Explain what they mean, and give one operational situation where the ACL (per-resource) view is more convenient and one where the capability (per-subject) view is more convenient.
Part G — Respond to this (governance tabletop) ⭐⭐
28.† Respond to this incident. A SOC alert fires: an account belonging to a teller just performed
approve_wire for the first time ever, at 02:14 local time, from an unmanaged device. Walk through your
first five steps as the responder. Which chapter-17 concept (authZ, accounting, SoD, ABAC) does each step
exercise? Where would you look first to determine whether this is creep-enabled abuse or a stolen session?
29. During an audit, the examiner asks: "Show me that no one at this bank can both initiate and approve a wire." Describe the evidence you would produce, where it comes from (role catalog? matrix export? runtime policy config? review records?), and why a clean role catalog alone is not sufficient proof.
Part H — CTF-style challenge ⭐⭐⭐
30.† The confused deputy. A junior engineer builds a "reporting service" that runs with broad read access to every database (so it can generate any report). To save time, they expose an endpoint that lets any authenticated user ask the reporting service to run an arbitrary query and return the results. (a) Explain how this lets a low-privilege user read data their own account is not authorized to see — i.e., how the service becomes a "confused deputy." (b) Which principle from this chapter is violated, and at which layer (the service's own privileges, or the authorization of its callers)? (c) Propose two fixes, one tightening the deputy's privileges and one fixing the missing authorization check.
Part I — Interleaved & forward-looking ⭐⭐
31. (Interleave Ch.16) The teller in this chapter authenticated perfectly with a phishing- resistant key and still posed a fraud risk. Write three sentences connecting Chapter 16's authentication guarantees to this chapter's authorization gap: what did the key prove, what did it not address, and why does the pair show that "identity is the perimeter" needs both halves?
32. (Interleave Ch.3) Map each of these to one Chapter 3 principle: (a) a wire requires two people; (b) new accounts start with only the base role; (c) the PDP denies when it cannot reach policy; (d) the same access logic is enforced at every gate from one central decision point. (One of them maps to two principles — say which and why.)
33. (Interleave Ch.11) Chapter 11 used SELinux/AppArmor to confine a compromised process; this chapter uses RBAC/ABAC to confine an authenticated user. In two sentences, explain how these are the same idea (least privilege via a system-enforced policy the subject cannot override) applied to different kinds of subject, and why running both matters in defense in depth.
34. ⭐⭐⭐ Forward look. This chapter built a single PDP/PEP and a hand-run access review. Based only on the chapter, predict two things that become necessary when you must run this across thousands of identities and dozens of applications (the subject of Chapters 18–19). Revisit this note after Chapter 19.
35. ⭐⭐⭐ Open reflection. Privilege creep is "granted eagerly, revoked reluctantly." Name a domain outside IT with the same asymmetry (physical keys to a building, library privileges, financial authorities, government clearances). What does that domain do — or fail to do — about it, and what could access governance borrow?
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.