A company hosts hundreds of virtual machines in a public-cloud subscription. The security team creates a custom role named VM Operator that allows starting, stopping, and viewing logs on VMs. They assign this role only at the WestUS-App resource-group level so that members of the DevOps group cannot administer VMs that reside in any other resource group. Which identity-and-access-management concept is the team primarily applying by restricting the role assignment to that resource-group boundary?
The team is using scope-based access control. Although the VM Operator role defines what actions can be performed (an aspect of role-based access control), limiting the assignment to a single resource group defines where those actions are valid. Tying permissions to a specific scope-such as a management group, subscription, resource group, or individual resource-implements least privilege by ensuring the role cannot be used against resources outside that boundary. Role-based access control alone does not restrict location; rule-based access control enforces context-dependent conditions like time or network location; delegation refers to one administrator granting limited authority to another. Only scope-based control explains the decision to bind the role to the WestUS-App resource group.