In an organization that employs consultants and permanent staff globally, working on various projects with distinct data access needs, which policy would best enforce access controls that take into account the complexity of roles, location, project assignments, and employment status?
Applying policy that restricts system access to certain times, commonly seen in organizations with a standard day shift operation
Implementing a model that adjusts based on user, environment, and resource attributes, such as the one used by a large, global consulting firm
Enforcing predefined roles for employees that may vary by project, such as in a typical mid-sized enterprise
Allowing data owners to set privileges based on personal discretion, a common practice in small businesses or startups