In a Role-Based Access Control (RBAC) model, how are permissions granted?

• A. Users are given permissions directly, roles are just labels.
• B. Permissions are assigned to roles, and users are assigned roles.
• C. Roles grant access to resources globally regardless of actions.
• D. Permissions are embedded in tokens only; roles ignored.

Answer: (B)

RBAC works by tying permissions to roles, and giving users those permissions by assigning them to roles. You define roles such as Manager, Editor, or Auditor, each with a defined set of permissions (what you can do and where). A user is granted one or more roles, and they inherit the union of permissions from all their roles. This separation makes administration easier—change a user’s access by changing their role assignments rather than editing permissions for every individual, and it supports least privilege and clean audits.

If you grant permissions directly to users, you’re bypassing the role structure. If roles granted global access regardless of actions, that would ignore the specific permissions tied to each role. If permissions were embedded in tokens while roles were ignored, you’d lose the role-based organization that RBAC relies on.