An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?

A single shared admin account so all tasks can be completed quickly.

A shared admin account removes accountability and grants far more access than each role actually needs.

Mandatory access control with all users assigned the same clearance level.

MAC is not the best fit here because the problem is business role separation, not classification levels.

Local account creation on the portal for each user, with permissions assigned manually one by one.

Manual per-user permissions are harder to maintain and make approvals, audits, and deprovisioning more error-prone.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Role-based access control with separate groups mapped to each business function. — Role-based access control is the best design because the portal's access needs map directly to business responsibilities. HR, managers, and payroll each have distinct duties, so creating separate roles and assigning users through groups supports least privilege and easier administration. It also improves auditability because the organization can review what each role is allowed to do without tracking every individual permission by hand. Why others are wrong: B is convenient but unsafe because it collapses separation of duties and creates excessive access. C is not the right model for this use case; mandatory access control is usually about labels and clearance, not everyday business roles. D works in very small systems but scales poorly and often leads to inconsistent permissions and review challenges.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.