Which option best describes RBAC?

The main concept tested is what defines Role-Based Access Control. In RBAC, access decisions are driven by the role a user holds within the organization. A role represents a job function and carries a specific set of permissions that determine what actions can be taken on which resources. Users are assigned one or more roles, and by belonging to those roles they automatically gain the permissions attached to them. This setup makes managing access scalable and auditable: you adjust rights by updating roles rather than changing permissions for every user, and you can enforce principles like least privilege and separation of duties. The correct description directly captures this idea of organizing permissions around roles rather than around individual users or arbitrary rules. The other terms do not describe RBAC as commonly defined: one implies a random approach to granting access, another focuses on allocating resources rather than who is allowed to use them, and another describes decision-making based on predefined rules (which aligns more with policy- or attribute-based approaches rather than the role-centric model of RBAC).