But according to me the correct answer should be 1 and 4.
How come answer 3 is correct as this will allow every role to access the specified web resource collection. But question hat a user in role of SALES or MKTING can access the specified web resource collection.
#4 is wrong as you cannot put two names in one <role-name> tag.
#3 is correct as it will allow all roles to access the constraint, including roles SALES and MKTING.
Note the question it did not say "only" SALES and MKTNG, it says how you could make this two roles access the constratint so applying *(all) gives SALES and MKTING access, so #4 is correct.