When adding several development interns who need limited access for a summer, which provisioning technique should be used?

• A. Create a single account for the interns to share. Set the expiration date for the account to six months.
• B. Create a role labeled 'interns' with the appropriate permissions. Create a separate account with an expiration date for each intern and add each intern to that role.
• C. Create one template user account with the appropriate permissions and use it to clone the other accounts. Set an expiration date for each account individually.
• D. Create individual accounts for each intern, set the permissions and expiration date for each account, and link them to a temporary guests user group.

Answer: (B)

Temporary access for a group of interns should be handled with identifiable identities and controlled permissions that end when the internship ends. The best approach is to create a role that contains only the permissions the interns need and grant each intern their own account that is a member of that role, with an expiration date set for the end of the summer. This setup supports the principle of least privilege, provides clear auditability because each intern has a unique identity, and makes revocation straightforward when the internship concludes.

Other approaches compromise security and traceability. Sharing a single account prevents accurate auditing of actions and complicates revocation. Using a cloned or template account can blur accountability and may propagate permissions in unintended ways. And relying on a generic temporary group without individual accounts undermines traceability and access control.