The core issue is one of authorization, where end users have permissions exceeding their required access levels. Implementing granular role-based access control (RBAC) directly addresses this by assigning permissions based on defined roles (e.g., 'administrator', 'end user') rather than to individual users. This allows the administrator to create a specific 'end user' role with restricted privileges, preventing access to administrative features. This method enforces the principle of least privilege, ensuring users only have the access necessary to perform their intended functions, thus resolving the identified security vulnerability.

A. Implement password complexity policies: This enhances authentication security by making passwords harder to guess but does not control a user's permissions after they have logged in.

C. Implement account lockout policies: This is a defensive measure against brute-force authentication attacks and does not affect the permissions granted to an already authenticated user.

D. Implement digitally signed firmware updates: This secures the IoT devices themselves by ensuring firmware integrity, but it is unrelated to user access control on a management portal.

1. CertNexus. (2020). Exam ITS-110: CertNexus Certified Internet of Things (IoT) Security Practitioner.

Domain 4.0: Securing IoT

Objective 4.3: "Given a scenario

implement access control measures." This objective explicitly lists "Role-based" access control as a key skill

directly aligning with the solution to the scenario where different user types (end users vs. administrators) require different permissions.

2. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-53

Revision 5: Security and Privacy Controls for Information Systems and Organizations.

Section: AC-2 Account Management & AC-3 Access Enforcement. These controls detail the necessity of enforcing assigned authorizations. The publication states

"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies." RBAC is a primary method for implementing these controls.

3. Hu

V. C.

Ferraiolo

D.

Kuhn

R.

Schnitzer

A.

Sandlin

K.

Miller

R.

& Scarfone

K. (2017). NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations.

Section 2.2

Role Based Access Control (RBAC). This document

while focused on ABAC

provides a clear definition of RBAC: "In the RBAC model

permissions are associated with roles

and users are assigned to appropriate roles." This directly explains the mechanism needed to solve the problem of users having inappropriate administrative access.