An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?

Assign everyone the same portal permissions to simplify administration.

Uniform access is simple to manage, but it violates least privilege and exposes sensitive records to unnecessary users.

Give every manager full HR and payroll access so approvals are faster.

Concentrating too many permissions in one role creates segregation-of-duties risk and expands the impact of compromise or mistakes.

Use one shared administrator account for all HR actions to keep audits simple.

Shared admin accounts weaken accountability and make it difficult to determine which person performed a sensitive action.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Create separate roles for HR, managers, and payroll, and grant only the permissions needed for each job function. — Role-based access control is the right model when different job functions need different levels of access. Separating HR, manager, and payroll permissions enforces least privilege and supports clean audit trails. It also helps with separation of duties because no single user gets unrelated sensitive access by default. In a HR environment, this reduces both accidental exposure and the damage from compromised credentials. Why others are wrong: Option B is overly broad and exposes sensitive information. Option C gives managers more access than they need and creates segregation-of-duties problems. Option D reduces accountability and is a poor design for any audited system.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.