In a permissioned blockchain architecture, which access control model is most appropriate for enforcing role-based restrictions on transaction submission?