Which access control model uses roles to grant permissions to users?

Roles-based access control uses roles as the central mechanism for granting permissions. In this model, permissions are grouped into roles rather than assigned to individual users, and users gain access by being assigned to one or more roles. This makes administration scalable in large environments because you can manage access by modifying role memberships rather than updating permissions for each user. It also supports least privilege and separation of duties by designing roles with the appropriate set of permissions and avoiding per-user permission drift. In contrast, other models tie access to resource owners (discretionary), fixed security policies (mandatory), or attributes of the user, resource, and environment (attribute-based).