How Security+ actually tests access control models (and why memorizing the definitions doesn't save you)

If you have studied for the SY0-701 exam for more than a week, you can probably recite the four access control models in your sleep. Discretionary, mandatory, role-based, attribute-based. The problem is that the exam almost never asks you to define DAC. It hands you a three-sentence workplace scenario and expects you to name the model that fits. That is a completely different skill, and it is where a lot of otherwise-prepared people lose easy points.

Here is the way I learned to read these questions, plus the two traps that catch most folks.

The four models, one line each

Strip the textbook language down to the single decision each model makes about who gets access.

DAC (Discretionary Access Control): the owner of the resource decides. If a person can grant other people access to a file they created, that is discretionary. Standard file permissions on Windows and Linux work this way.