case study

To complete this assignment, review the prompt and grading rubric in the

Module Four Activity Guidelines and Rubric

. You will also need to access the

Module Four Activity Template Word Document

.

CYB 200 Module Four Activity Guidelines and Rubric

Overview

In this exercise, you will develop a role-based access control (RBAC) matrix for user access control. RBAC matrices, as a security architecture concept, are a way of represen�ng access

control strategies visually. They help the prac��oner ensure that the access control strategy aligns with the specific access control objec�ves. Matrices also help show when access controls

may conflict with job roles and responsibili�es. When you are comple�ng this type of task, there are a few ques�ons you should always be thinking about:

Who gets to log into the system?

Who gets to view what?

What kind of data are you dealing with (basic data vs. informa�on subject to privacy controls)?

Who gets to add or delete? Who is view-only?

Who should not have permission?

An example of an RBAC matrix can be found in Chapter 6 of your course textbook.

Scenario

You are a security analyst for a healthcare firm assigned to create an RBAC matrix for a new so�ware-as-a-service (SaaS) applica�on for managing pa�ent medical files. There are six

individuals who have roles within the system and need varying levels of access to the medical pa�ent so�ware. Your objec�ves are to set up the RBAC matrix to:

Ensure individuals have access to necessary informa�on for their job role

Maintain pa�ent privacy by adhering to the Fundamental Security Design Principle of least privilege (i.e., business need-to-know)

The following SaaS applica�on parameters need to be determined:

1. Access to pa�ent informa�on

2. Access to employee informa�on

3. Access to the SaaS

4. Access to backup logs

See the User Job Roles and Characteris�cs table below for informa�on on the users, their roles in the organiza�on, and their job descrip�ons.

Users Job Roles Job Characteris�cs



9/22/24, 2:21 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102836/View 1/4

https://app.readspeaker.com/cgi-bin/rsent?customerid=9568&url=https%3A%2F%2Flearn.snhu.edu%2Fcontent%2Fenforced%2F1698647-CYB-200-13406.202481-1%2FModule%2520Four%2520Activity%2520Guidelines%2520and%2520Rubric.html&lang=en_us&readid=d2l_read_element_1

Norman Remote call-center employee

Has the ability to log into the medical SaaS as an employee, and has remote access to employee machines for

purpose of fixing or diagnosing computer issues

Has the ability to create user accounts and assign passwords

Has no right to view pa�ent informa�on

Has the ability to view the backup logs for important system informa�on

Ryhead
Sales representa�ve for the healthcare

firm

Has access to the so�ware but only for showing poten�al new customers

Has the ability to create dummy user accounts for demo purposes

Has no ability to modify any pa�ent informa�on, and can only show screens for demo purposes

Has no access to the backup logs

Simone
HR representa�ve for the healthcare

firm

Has the ability to log into the system

Has no abili�es with user accounts

Has access to the so�ware and employee records but should have no access to pa�ent informa�on

Has no access to the backup logs

Janet
Applica�on administrator for the SaaS

applica�on

Has full access to so�ware, has the ability to change or modify se�ngs in the system as needed, and has the ability

to provide an override code

Has the ability to view, create, modify, and delete user accounts

Has no rights to change pa�ent informa�on

Has the ability to view, modify, and delete backup logs for the SaaS

Dale Nurse

Has access to the system for pa�ent informa�on.

Has no abili�es with user accounts.

Has the ability to view, create, and modify pa�ent informa�on, but does not have the right to delete pa�ent

informa�on without an override code

Has no access to backup logs

9/22/24, 2:21 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102836/View 2/4

Ethan Auditor

Has the ability to log into the system but can only view informa�on

Has no abili�es with user accounts

Has no ability to create, modify, or delete pa�ent informa�on

Has the ability to view backup logs

Prompt

Specifically, you must address the cri�cal elements listed below:

I. RBAC Matrix: Populate the RBAC matrix in the Module Four Ac�vity Template using one or more of the necessary ac�ons (view, create, modify, delete, none).

II. Essen�al Ques�ons: Answer the following short response ques�ons based on your populated table in the template:

A. What changes could be made to user roles through implementa�on of least privilege to be�er support that security design principle? (Hint: Refer to the characteris�cs in the

scenario table above, and consider the characteris�cs that may be contradictory.)

B. What is the importance of this tool to you as a security analyst in managing and protec�ng the environment? Provide an example.

What to Submit

Submit the completed RBAC matrix and short response ques�ons in the Module Four Ac�vity Template. You may also submit this ac�vity in your own Microso� Word document, but your

submission must contain the same elements as the template. Your submission should be 1–2 pages in length (plus a cover page and references, if used) and wri�en in APA format. Use double

spacing, 12-point Times New Roman font, and one-inch margins. The file name should include the course code, assignment number, and your name—for example,

CYB_200_Module_Four_Ac�vity_Neo_Anderson x.

Module Four Activity Rubric

Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value

RBAC Matrix Completes 21 or more cells of the RBAC

matrix accurately

Completes fewer than 21 cells of the

RBAC matrix accurately

Does not complete any of the RBAC

matrix cells accurately

6

5

Least Privilege Describes changes that can be made to the

user roles through implementa�on of least

privilege that would be�er support the

security design principle

Addresses “Proficient” criteria, but there

are gaps in clarity, logic, or detail

Does not address cri�cal element, or

response is irrelevant

15

9/22/24, 2:21 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102836/View 3/4

Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value

Importance of Tool Explains the importance of the tool to a

security analyst in managing and

protec�ng the environment, and provides

an example

Addresses “Proficient” criteria, but there

are gaps in clarity, logic, or detail

Does not address cri�cal element, or

response is irrelevant

15

Ar�cula�on of Response Submission has no major errors related to

cita�ons, grammar, spelling, or

organiza�on

Submission has some errors related to

cita�ons, grammar, spelling, or

organiza�on that nega�vely impact

readability and ar�cula�on of main

ideas

Submission has cri�cal errors related to

cita�ons, grammar, spelling, or

organiza�on that prevent understanding of

ideas

5

Total: 100%

9/22/24, 2:21 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102836/View 4/4

CYB 200 Module Four Activity Template

After reviewing the scenario in the Module Four Activity Guidelines and Rubric document, fill in each cell with one or more of the following actions:

• View
• Create
• Modify
• Delete
• None

User name Patient information Employee information Access to the SaaS Access to backup logs

Norman

Ryhead

Simone

Janet

Dale

Ethan

After you have completed the table above, respond to the following short questions:

1. What changes could be made to user roles through implementation of least privilege to better support that security design principle? (Hint: Refer to the
characteristics in the user job roles and characteristics table in the scenario, and consider the characteristics that may be contradictory.)

2. What is the importance of this tool to you as a security analyst in managing and protecting the environment? Provide an example.