WGU C845 VUN1 Task 1,2,& 3| Passed on First
Attempt |Latest Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access Controls
hq hq hq hq hq hq hq hq hq hq
Information Systems Security - C845 hq hq hq hq
A. Apply an Access Control Model hq hq hq hq
A.1. Chosen Access Control Model hq hq hq
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
hq hq hq hq hq hq hq hq hq hq hq hq hq
• Role Assignment: A user is assigned to a role based on their job function (e.g.,
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
"Finance Analyst").
hq hq
• Permission Assignment: Permissions to perform operations on systems are assigned to
hq hq hq hq hq hq hq hq hq hq
roles, not to individual users.
hq hq hq hq hq
• Session Management: A user activates a role to gain the associated permissions for a session.
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
• Least Privilege: Users should only have the minimum level of access necessary to perform
hq hq hq hq hq hq hq hq hq hq hq hq hq
their job duties.
hq hq hq
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
permissions are strictly tied to business functions, reducing complexity and the potential for user
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
error when assigning permissions.
hq hq hq hq
A.2. Four Misalignments with RBAC Principles h q h q h q h q
1. Misalignment 1: Privilege Escalation Beyond Role Scope hq hq hq hq hq hq
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. hq hq hq hq hq hq hq hq hq hq
A junior role should not have the highest level of access in a Windows
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
environment. hq
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior
hq hq hq hq hq hq hq hq hq hq hq hq
system admin" implies a subset of administrative duties, not unrestricted domain-
hq hq hq hq hq hq hq hq hq hq hq
wide control. hq
2. Misalignment 2: Unnecessary Access Across Departments hq hq hq hq hq
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system hq hq hq hq hq hq hq hq hq hq hq hq hq
primarily for Sales and Support. A finance role typically does not require full
hq hq hq hq hq hq hq hq hq hq hq hq hq
modification rights in a customer relationship system.
hq hq hq hq hq hq hq
• Conflict with RBAC: This violates least privilege and separation of duties. It allows
hq hq hq hq hq hq hq hq hq hq hq hq
, hq for h
• potential data manipulation outside the user's core business function.
q hq hq hq hq hq hq hq hq
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
hq hq hq hq hq hq
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has
hq hq hq hq hq hq hq hq hq hq hq
an "Active" account status and successfully logged in on 2025-06-29.
hq hq hq hq hq hq hq hq hq hq
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a
hq hq hq hq hq hq hq hq hq hq hq
change in employment status. An active session for a terminated user completely
hq hq hq hq hq hq hq hq hq hq hq hq
bypasses the security provided by the role structure.
hq hq hq hq hq hq hq hq
4. Misalignment 4: Overly Broad Privileged Access
hq hq hq hq hq
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All
hq hq hq hq hq hq hq hq hq hq hq
internal systems," and the log shows they made a firewall rule change without
hq hq hq hq hq hq hq hq hq hq hq hq hq
a ticket_id.
hq hq
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
hq hq hq hq hq hq hq hq hq hq hq
, violates least privilege and impedes accountability. It does not segment duties within the
hq hq hq hq hq hq hq hq hq hq hq hq
IT department itself.
hq hq hq
Attempt |Latest Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access Controls
hq hq hq hq hq hq hq hq hq hq
Information Systems Security - C845 hq hq hq hq
A. Apply an Access Control Model hq hq hq hq
A.1. Chosen Access Control Model hq hq hq
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
hq hq hq hq hq hq hq hq hq hq hq hq hq
• Role Assignment: A user is assigned to a role based on their job function (e.g.,
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
"Finance Analyst").
hq hq
• Permission Assignment: Permissions to perform operations on systems are assigned to
hq hq hq hq hq hq hq hq hq hq
roles, not to individual users.
hq hq hq hq hq
• Session Management: A user activates a role to gain the associated permissions for a session.
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
• Least Privilege: Users should only have the minimum level of access necessary to perform
hq hq hq hq hq hq hq hq hq hq hq hq hq
their job duties.
hq hq hq
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
permissions are strictly tied to business functions, reducing complexity and the potential for user
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
error when assigning permissions.
hq hq hq hq
A.2. Four Misalignments with RBAC Principles h q h q h q h q
1. Misalignment 1: Privilege Escalation Beyond Role Scope hq hq hq hq hq hq
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. hq hq hq hq hq hq hq hq hq hq
A junior role should not have the highest level of access in a Windows
hq hq hq hq hq hq hq hq hq hq hq hq hq hq
environment. hq
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior
hq hq hq hq hq hq hq hq hq hq hq hq
system admin" implies a subset of administrative duties, not unrestricted domain-
hq hq hq hq hq hq hq hq hq hq hq
wide control. hq
2. Misalignment 2: Unnecessary Access Across Departments hq hq hq hq hq
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system hq hq hq hq hq hq hq hq hq hq hq hq hq
primarily for Sales and Support. A finance role typically does not require full
hq hq hq hq hq hq hq hq hq hq hq hq hq
modification rights in a customer relationship system.
hq hq hq hq hq hq hq
• Conflict with RBAC: This violates least privilege and separation of duties. It allows
hq hq hq hq hq hq hq hq hq hq hq hq
, hq for h
• potential data manipulation outside the user's core business function.
q hq hq hq hq hq hq hq hq
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
hq hq hq hq hq hq
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has
hq hq hq hq hq hq hq hq hq hq hq
an "Active" account status and successfully logged in on 2025-06-29.
hq hq hq hq hq hq hq hq hq hq
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a
hq hq hq hq hq hq hq hq hq hq hq
change in employment status. An active session for a terminated user completely
hq hq hq hq hq hq hq hq hq hq hq hq
bypasses the security provided by the role structure.
hq hq hq hq hq hq hq hq
4. Misalignment 4: Overly Broad Privileged Access
hq hq hq hq hq
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All
hq hq hq hq hq hq hq hq hq hq hq
internal systems," and the log shows they made a firewall rule change without
hq hq hq hq hq hq hq hq hq hq hq hq hq
a ticket_id.
hq hq
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
hq hq hq hq hq hq hq hq hq hq hq
, violates least privilege and impedes accountability. It does not segment duties within the
hq hq hq hq hq hq hq hq hq hq hq hq
IT department itself.
hq hq hq
