The best solution for this scenario is 'Role-based access control' (RBAC). RBAC links access controls to the roles individuals hold within an organization, rather than their individual identity. When properly implemented, RBAC can enforce the principle of least privilege by ensuring users receive access to just the information and resources that are necessary for their roles. 'Mandatory access control' (MAC) is incorrect because it is more rigid and is usually used in environments where information flow must be controlled based on classifications and clearances. 'Rules-based access control' sounds similar to RBAC but isn't commonly recognized as a standard access control model, which can trip up students if not carefully considered. Lastly, 'Privileged access management' (PAM) is a tool or system designed to secure, control, and monitor access to an organization's critical information and resources but doesn't inherently organize permissions based on roles, departments, or job functions.