Which statement best describes RBAC and ABAC?

RBAC and ABAC determine access using different bases for decision-making. In RBAC, permissions are attached to roles, and users gain access by being assigned one or more roles that carry those permissions. This makes access management aligned with job functions and simplifies administration through role assignments. ABAC, on the other hand, decides access using attributes—such as user attributes (department, clearance), resource attributes (sensitivity, type), and environmental attributes (time, location)—and evaluates policies that combine these attributes. Because ABAC relies on attributes beyond identity and RBAC relies on roles, the statement that RBAC uses roles and ABAC uses attributes best captures how each model works. The idea that both rely solely on user identity is not correct, since RBAC centers on roles and ABAC on attributes and contextual factors.