A systems administrator needs to grant a user permissions to manage a specific set of virtual machines. The user has been assigned the 'Virtual Machine Contributor' role, which allows for the management of VMs. However, this user must only be able to manage the VMs that belong to the 'Marketing-Dev' resource group and should have no access to VMs in other resource groups like 'Finance-Prod' or 'HR-Test'. Which access control concept should be applied in conjunction with the user's role to enforce this specific restriction?
The correct answer is scope-based access control. This model works by restricting the permissions granted by a role to a specific subset of resources, which is referred to as the 'scope'. In this scenario, the 'Virtual Machine Contributor' role provides the permissions (the 'what'), while the 'Marketing-Dev' resource group defines the scope (the 'where'). Applying scope-based control ensures the user can only exercise their permissions within that designated resource group.
Role-based access control (RBAC) defines permissions based on a user's job function (e.g., 'Virtual Machine Contributor'). While RBAC is used here to assign the initial permissions, it does not, by itself, solve the problem of limiting access to a specific group of resources. It needs to be combined with a scope.
Rule-based access control grants access based on a set of predefined rules, such as time of day or user location, which is not the primary requirement in this scenario.
Segregation of duties is a policy that ensures no single individual has control over all aspects of a critical task. While related to security, it is not the specific access control model that limits permissions to a resource group.