Role assignment = who + what + where
Access is granted by combining an identity, a role, and a scope. Who: security principal (user/group/service principal/managed identity). What: role definition (permissions). Where: scope (boundary for permissions). Rule: 'who can do what at which scope'.