What term describes how a web application controls which users can create, update, or delete resources?

Access control is the mechanism that governs who is allowed to do what with resources in a web application, including who can create, update, or delete them. It defines permissions for different users or roles and enforces those permissions so that only authorized actions are possible. The other options point to specific flaws or weaknesses: Broken Access Control refers to when those protections are not enforced properly, enabling unauthorized actions; Insecure Direct Object References describes exposing direct references to objects that can be manipulated to access data; Missing Function Level Access Control is a flaw where certain privileged actions aren’t properly protected. Therefore, the best description of how the app controls who can create, update, or delete resources is Access Control.