Which access control model relies on user roles?

Role-Based Access Control (RBAC) is the model that relies on user roles to determine access permissions. In RBAC, permissions are assigned not to individual users but rather to roles, and users are then assigned to those roles. This streamlines the management of permissions, especially in larger organizations, as you can modify roles without having to change permissions for every single user. For example, a user assigned to the "Manager" role might automatically gain access to resources and capabilities appropriate for that role.

This model enhances both security and efficiency because it follows the principle of least privilege—users have only the access necessary to perform their job functions. Moreover, it simplifies the auditing process since access rights can be reviewed at the role level rather than the individual user level.

In contrast, the other access control models focus on different mechanisms: Mandatory Access Control (MAC) enforces access policies determined by a central authority; Discretionary Access Control (DAC) allows resource owners to make decisions about who can access their resources; and Time-Based Access Control (TBAC) restricts access based on time constraints, which does not inherently utilize user roles as a basis for granting access.