Which strategy aligns privileges with business functions by creating object access roles and assigning them to functional roles?

The strategy tested is about separating what you can do on data objects from the business role you perform. You first create object access roles that specify exact privileges on specific objects (like a table or schema). Then you assign those object access roles to functional roles that represent how people actually work (for example, a data analyst or data steward). Users obtain their permissions by their functional role, which aggregates the necessary object-level access through those assigned roles. This alignment keeps permissions tightly tied to job responsibilities while enabling granular control over each data object. It supports the principle of least privilege—people get only what they need to perform their function—without granting broad, unchecked access. It also makes governance and auditing clearer: you can see which functional roles carry which object access roles and what privileges on which objects, and adjust them centrally when functions change. Why the other approaches aren’t as effective: granting all privileges to a single role spreads risk and isn’t aligned to a specific function; using only one role per user is inflexible for people who perform multiple duties; and assigning privileges directly to users bypasses the role-based structure, making management and auditing much harder.