The best answer is B. It is used to make access control decisions without inheriting permission decisions from prior events.
In a Zero Trust environment, the core principle is never trust, always verify. A policy engine evaluates each access request using current context and defined security policies. Access is not automatically granted simply because a user or device was previously authenticated or allowed access earlier.
This means decisions are made continuously and based on factors such as:
user identity
device posture
location
requested resource
risk level
session context
The phrase “without inheriting permission decisions from prior events” best reflects the Zero Trust concept that trust is not assumed or permanently granted.
Why the other options are incorrect:
A. It is used by a central server to apply default permissions across a range of network and computing resources.This sounds more like centralized administration, but it does not capture the dynamic, context-based access decision-making of a Zero Trust policy engine.
C. It is used to dynamically assign user permissions based on a user ' s identity and previous activity.This is close, but the wording emphasizes previous activity, whereas Zero Trust focuses on real-time evaluation of current conditions rather than inherited trust.
D. It is used when user roles are unknown and the organization wants to leverage ML to control access.Machine learning may support analytics, but this is not the main purpose of a Zero Trust policy engine.
From the SY0-701 perspective, a policy engine is central to making explicit, context-aware access decisions for every request, which is best captured by B.
