Which access control model is based on the roles assigned to a user in an organization?

The correct answer is Role-based access control, which is a widely used access control model that assigns permissions and rights based on the roles that users hold within an organization. This approach simplifies management of user privileges, ensuring that users have access only to the information necessary for their specific job functions. By aligning access rights with organizational roles, organizations can enforce a principle of least privilege, enhancing security and reducing the potential for unauthorized access or data breaches.

This model facilitates the efficient administration of user permissions because roles can be predefined with specific access rights, allowing for quick assignment to new users as they join an organization. Additionally, when a user's role changes, the corresponding access rights can be adjusted accordingly, which streamlines access control management.

The other access control models mentioned have distinct characteristics that do not focus on roles. Rule-based access control relies on specific conditions or rules that dictate access, regardless of user roles. Mandatory access control is based on a system of classifications and clearances, often involving a hierarchical structure where users cannot modify access rights. Discretionary access control allows owners of data or resources to make decisions about who can access their information, placing less emphasis on predefined roles within an organization.