A company using Amazon SageMaker needs to ensure that only authorized users can access certain machine learning models and notebooks. They also want to restrict access to specific resources based on user roles within the organization. Which combination of SageMaker features can achieve this?