What access control model does UAP Document 301 mandate?

• A. Mandatory access control.
• B. Discretionary access control.
• C. Role-based access control with least privilege.
• D. No access control required.

Answer: (C)

RBAC with least privilege is the model mandated. Access decisions are based on the roles users have, with permissions tied to those roles rather than to individuals. This lets organizations assign each user only what they need to do their job, satisfying the principle of least privilege. It also scales well in larger environments because adding a new user typically means assigning them a role rather than configuring individual permissions. This approach also supports separation of duties and straightforward auditing, since permissions are grouped by role and can be reviewed through role definitions and assignments. In contrast, mandatory access control can be too rigid for general use, discretionary access control relies on owners to grant access which can lead to inconsistent enforcement, and having no access control would fail basic security requirements.