Authorization (user accounts) must be granted based on specific roles. This is because role-based access control (RBAC) assigns permissions to users based on their roles within an organization, ensuring that they have the minimum access necessary to perform their job functions. This approach enhances security and simplifies management of user permissions.