The correct answer is C. In Check Point Identity Awareness, an Access Role object is used in Access Control rules to represent identity-aware conditions. An Access Role can combine user or user-group identity, computer or computer-group identity, and network location into a single reusable policy object. This lets administrators write rules such as allowing a specific department from a specific network location to access a defined resource, instead of relying only on source IP addresses. Option A is incorrect because logs are stored and analyzed through logging infrastructure such as Logs & Events, Log Server, SmartView, or SmartEvent, not inside Access Role objects. Option B is wrong because Access Roles do not replace firewall rules; they are used inside firewall policy rules as identity-based matching criteria. Option D is incomplete and misleading because authentication is performed through identity sources such as Browser-Based Authentication, AD Query, Identity Collector, Identity Agents, RADIUS Accounting, or Identity Web API. The Access Role is the policy object that consumes identity information for rule matching. Reference topics: Identity Awareness, Access Roles, identity-based Access Control rules, user/computer/network matching.