Variable should be authorization based.
Manual input can also be allowed because if in case a user with multiple authorization is trying to access only a particular site then it ill be useful.
However selecting Variable is ready for Input or single or multiple is as per business requirement and that ill not make any changes only thing here is that variable should be authorization based.