If you are studying for Security+, access control questions are not just vocabulary checks. They test whether you can read a scenario, identify the identity problem, and choose the control that gives people enough access to do the job without handing them the keys to the building.
Use these practice questions to drill the pattern. Pick an answer before reading the explanation. The point is not to memorize every acronym. The point is to recognize when the exam wants least privilege, role-based access, MFA, account review, privileged access management, or a boring ticket-and-approval workflow.
For broader prep, pair this with the Security+ study plan template, the Security+ phishing practice questions, and the Security+ career path guide.
Quick answer: what to know for access control questions
Most Security+ access control scenarios come down to matching the business need to the safest access model.
| Scenario clue | Likely concept |
|---|---|
| User only needs access required for the role | Least privilege |
| Permissions are assigned based on job function | Role-based access control (RBAC) |
| Access changes based on labels like secret/confidential | Mandatory access control (MAC) |
| File owner controls who can access a resource | Discretionary access control (DAC) |
| Login requires password plus app prompt, token, or biometric | Multifactor authentication (MFA) |
| Admin accounts need checkout, approval, and session logging | Privileged access management (PAM) |
| Old permissions pile up after role changes | Privilege creep |
| Periodic manager review of access | Access recertification |
The exam usually rewards the measured administrative answer. Do not give everyone local admin because it is “faster.” Do not share a privileged account because the vendor is in a hurry. Do not skip approvals because the request came from an executive. Security+ likes boring controls because boring controls survive real workplaces.
Practice question 1: new help desk technician
A new help desk technician needs to reset passwords, unlock accounts, and update basic user profile information. The technician does not need to create domain admins, change firewall rules, or access payroll records.
Which principle should guide the permissions assigned to this technician?
A. Availability
B. Least privilege
C. Non-repudiation
D. Obfuscation
Answer: B. Least privilege
Least privilege means the technician gets only the permissions needed for the job. Password resets and account unlocks may be reasonable for help desk. Domain admin and payroll access are not. Availability matters, but it is not the access assignment principle in this scenario.
Practice question 2: permissions by job function
A company creates access groups for Help Desk, Network Engineering, HR, Finance, and Developers. Users receive permissions by being added to the group that matches their job.
Which access control model is being used?
A. Role-based access control
B. Mandatory access control
C. Attribute-based encryption
D. Security through obscurity
Answer: A. Role-based access control
RBAC assigns permissions based on roles or job functions. It is common because it scales better than assigning every permission one user at a time. Mandatory access control is based on labels and clearance levels. Attribute-based controls can use more dynamic rules, but the question describes job-role groups.
Practice question 3: privilege creep
An employee moved from help desk to systems administration six months ago, then moved to project coordination last month. During an audit, the security team finds the employee still has help desk reset rights and server admin rights.
What is the main issue?
A. Account lockout
B. Privilege creep
C. Password spraying
D. Federation
Answer: B. Privilege creep
Privilege creep happens when old access is not removed as people change jobs. The user may have needed those permissions before, but they no longer match the current role. Access reviews and offboarding/change workflows are how you catch this before it becomes an incident.
Practice question 4: vendor needs temporary admin access
A software vendor needs elevated access to troubleshoot a production application for two hours. The company wants approval, time limits, and a record of what the vendor did.
Which control is the best fit?
A. Shared administrator account sent by email
B. Privileged access management
C. Disabling logging during the session
D. Permanent local administrator access
Answer: B. Privileged access management
PAM is built for this problem: privileged access can be requested, approved, time-limited, monitored, and logged. A shared admin account is exactly the kind of shortcut that causes audit pain later. Permanent admin access does not match a two-hour troubleshooting need.
Practice question 5: MFA factor selection
A company requires employees to sign in with a password and a code from an authenticator app.
Which statement is most accurate?
A. This is MFA because it uses two knowledge factors
B. This is MFA because it combines something the user knows with something the user has
C. This is SSO because there are two login screens
D. This is authorization, not authentication
Answer: B. This is MFA because it combines something the user knows with something the user has
The password is something the user knows. The authenticator app or enrolled device is something the user has. MFA requires different factor categories. Two passwords would not be strong MFA because they are both knowledge factors.
Practice question 6: access review
A department manager receives a quarterly report listing everyone who can access the department’s shared finance folder. The manager must confirm who still needs access and request removal for everyone else.
What process is this?
A. Access recertification
B. Data masking
C. Port scanning
D. Tokenization
Answer: A. Access recertification
Access recertification is a periodic review of who has access and whether that access is still appropriate. It is not glamorous, but it catches stale permissions. Data masking and tokenization protect sensitive data. Port scanning checks network exposure.
Practice question 7: confidential file labels
A government system allows users to access documents only if their clearance level matches or exceeds the classification label on the document. Individual file owners cannot simply grant access to anyone they want.
Which model best matches this setup?
A. Mandatory access control
B. Discretionary access control
C. Rule of three
D. Guest access
Answer: A. Mandatory access control
MAC uses centrally controlled labels and clearances. The user or file owner does not get full discretion to override the policy. DAC would allow resource owners to decide who gets access. This question is all about labels and centralized enforcement.
Practice question 8: shared service account problem
Several administrators use the same service account to perform maintenance. After an unauthorized change, nobody can prove which person used the account.
Which security goal is missing?
A. Non-repudiation and accountability
B. Compression
C. Availability zone redundancy
D. Steganography
Answer: A. Non-repudiation and accountability
Shared accounts make it hard to tie actions to a person. Security teams want named admin accounts, logging, and privileged session tracking so actions can be attributed. The issue is not whether the system stayed online. The issue is that the audit trail is muddy.
Practice question 9: deny by default
A firewall management portal is being redesigned. The security team wants new users to have no access unless a specific approved role grants it.
Which approach is best?
A. Allow all, then remove risky permissions later
B. Deny by default and grant approved roles
C. Put the admin password in the team chat
D. Give read-only users write access just in case
Answer: B. Deny by default and grant approved roles
Deny by default is the safer baseline. Users receive access only after a role or policy grants it. “Allow all and clean it up later” turns into permanent cleanup debt because nobody enjoys permission archaeology.
Practice question 10: account termination
An employee leaves the company on Friday. HR notifies IT through the normal offboarding ticket. The employee had VPN, email, SaaS, and shared drive access.
What should IT do first according to the offboarding workflow?
A. Disable or revoke the user’s access according to policy
B. Wait thirty days in case the employee returns
C. Delete all logs related to the user
D. Transfer the account password to the manager
Answer: A. Disable or revoke the user’s access according to policy
Offboarding is an access control process. The normal first move is to disable or revoke access according to policy, then handle mailbox delegation, data transfer, device return, and retention rules. You do not hand the password to the manager, and you definitely do not delete logs.
Common exam traps
Trap 1: confusing authentication and authorization
Authentication asks, “Who are you?” Authorization asks, “What are you allowed to do?” A password, passkey, smart card, or biometric is authentication. Group membership, file permission, or admin role is authorization.
Trap 2: treating convenience as security
Security+ scenarios often include a rushed business request. A director wants access now. A vendor is waiting. A team says approvals slow them down. The safest answer usually keeps the process intact while granting only the access that is actually needed.
Trap 3: choosing the biggest hammer
Not every access problem needs a massive redesign. If one user has stale permissions, remove the stale permissions and fix the workflow that allowed them to linger. If all departments have messy permissions, then you may need role cleanup, recertification, and better provisioning.
Trap 4: ignoring service accounts
Service accounts should have clear ownership, limited permissions, strong secrets or managed identity, and monitoring. If the question says humans share a service account for admin work, that is a red flag.
How to study access control without zoning out
Access control can feel dry until you map it to tickets you have seen:
- New hire needs app access.
- User transfers departments.
- Contractor needs temporary access.
- Manager asks for shared mailbox rights.
- Admin account is used for emergency maintenance.
- Employee leaves the company.
Turn each one into a mini scenario. Ask: who approves it, how much access is needed, when should it expire, and how would we prove what happened later?
FAQ
Is least privilege the same as zero trust?
No. Least privilege is one principle inside many security programs. Zero trust is a broader model that assumes no implicit trust and continuously verifies access. On Security+, least privilege usually points to limiting permissions to the job requirement.
Is RBAC always better than assigning user permissions directly?
For most organizations, yes. RBAC is easier to manage and audit because access follows roles. Direct user permissions can still happen, but too much one-off access becomes hard to review.
What should I review after access control?
Review authentication methods, identity federation, SSO, password policy, account lifecycle management, and basic logging. Then connect it to incident questions: what happens when an account is compromised?
What to review next
If these felt manageable, move into adjacent Security+ topics:
- Security+ phishing practice questions for social engineering and credential theft
- Security+ study plan template for organizing the rest of your prep
- Beginner cybersecurity certifications if you are comparing Security+ with other entry-level paths
The pattern is simple: give the right people the right access, remove access when it is no longer needed, and keep enough logging that you can explain what happened later. That is boring. It is also most of the job.