In which access control model are organizational roles defined, with subjects assigned to those roles for access management?

The correct answer is based on the principles of Role-Based Access Control (RBAC), which emphasizes the assignment of users to specific roles within an organization. In this model, organizational roles are explicitly defined, and these roles determine the level of access subjects have to resources or data.

RBAC simplifies the management of permissions by grouping users into roles that grant the necessary access rights, rather than assigning permissions on an individual basis. This approach aligns security policies with business functions, making it easier to manage access levels according to job responsibilities. For example, all employees in a finance team may have access to certain financial databases because they are all assigned the "Finance" role, inherently granting them the permissions associated with that role.

This method enhances security and operational efficiency, as it helps assure that users have access only to the resources they need to perform their job functions, thereby minimizing the risk of unauthorized access or data breaches. Additionally, when an employee changes roles or leaves the organization, permissions can be modified or revoked swiftly by updating the roles rather than adjusting individual user accounts.

In contrast, the other models—such as Attribute-Based Access Control (ABAC), Discretionary Access Control (DAC), and Mandatory Access Control (MAC)—have different mechanisms for managing access and