A healthcare organization wants to ensure that only the billing department can access cost and usage reports. Which IAM best practice should they implement?