Role-based access control (RBAC) is effective for restricting access to data within an application based on a user's role within an organization. RBAC policies ensure that only authorized users are granted the permissions necessary to access, modify, or interact with sensitive data, thus maintaining the principle of least privilege. It simplifies management and helps in effectively enforcing enterprise security policies.

While mandatory access control (MAC) and discretionary access control (DAC) are valid access control models, MAC is more commonly used in environments requiring high security and enforces access based on classified levels, which may be overly complex for a web application in a business setting. DAC, on the other hand, is based on the discretion of the owner, which could lead to a lack of consistent policy enforcement.

Username and password authentication, although necessary for verifying identity, does not inherently restrict actions based on user roles, hence it would not be effective on its own in this scenario for controlling permissions.