Which concept defines access control based on roles and permissions?

Access control decisions are made by assigning users to roles and granting permissions to those roles. This approach, known as Rule Based Access Control, or RBAC, lets you manage who can do what by grouping permissions under roles and giving users those roles. When a user has a role, they inherit all the permissions tied to that role, which makes administration scalable and helps enforce least privilege and separation of duties. For example, an admin role might include full access to manage resources, while a viewer role only allows read access. Other options don’t fit because they don’t specify access control through roles and permissions: an Access Control Framework is a broader structure for implementing access control, data backups concern data protection, and environmental factors are external conditions unrelated to access control.