For temporary intern access, which approach provides per-intern expiration while maintaining proper permissions?

• A. Shared account with a six-month expiration
• B. Create a role labeled 'interns' with appropriate permissions. Create a separate account with an expiration date for each intern and add each intern to that role.
• C. Create one template user account with the appropriate permissions and clone others with individual expiration
• D. Create individual accounts for each intern and link them to a temporary guest group.

Answer: (B)

Temporary access should be granted with per-user identities tied to a defined set of permissions, so each intern can be disabled individually and their actions can be audited. Creating a dedicated role for interns and giving each intern their own account that can assume that role achieves both goals: the role provides the intended, restricted permissions, and each intern has an account with its own expiration. This keeps access tightly scoped (least privilege) and makes it easy to revoke access when the expiration arrives, while preserving clear accountability through individual credentials and logs.

Shared credentials would blur ownership and make per-intern expiration hard to enforce. A single template account with clones risks inconsistent provisioning and auditability. A temporary guest group may not guarantee per-user expirations or precise permission boundaries.