You are configuring the principals needed to fulfill the security requirements of an application within a sandbox environment that uses the WebLogic Server- embedded LDAP server. The given security requirements provided have outlined the following facts about some test principals: 

One security requirement states that internal patient data can be viewed only by physicians who are employees. What is an appropriate way to fulfill this security requirement from a principal perspective using the provided information? 

Answer options:

A. Create an authorization policy that grants access if a user is a member of the physicians group and their employee attribute is true, bypassing the use of a role entirely.
B. Create an ACL that grants access if a user is a member of the physicians group and their employee attribute is true, bypassing the use of a role entirely.
C. Create authorization policies for individual users whose employee attribute is true creating a constraint-only model, bypassing the use of a role entirely.
D. Create an authorization policy that denies access if a user is a member of the physicians group and their employee attribute is false, bypassing the use of a role entirely.

B

Security policies replace access control lists (ACLs) and answer the question "Who has access to a WebLogic resource?". You assign security policies to any of the defined WebLogic resources (for example, an EJB resource or a JNDI resource) or to attributes or operations of a particular instance of a WebLogic resource (an EJB method or a servlet within a Web application). If you assign a security policy to a type of WebLogic resource, all new instances of that resource inherit that security policy. Security policies assigned to individual resources or attributes override security policies assigned to a type of WebLogic resource. Reference: https://docs.oracle.com/cd/E24329_01/web.1211/e24446/security.htm#INTRO243