Skip to main content

Role-Based Access Control (RBAC)

RBAC assigns permissions to roles and roles to users, making access management scalable, auditable, and aligned with least privilege.

Role-based access control (RBAC) is a widely used model for managing who can do what in a system. Instead of granting permissions directly to each user, RBAC groups permissions into roles and then assigns roles to users. Users gain the permissions of whatever roles they hold.

How It Works

The model has three core elements: users, roles, and permissions. A permission represents an allowed action on a resource, such as "read invoices" or "deploy to production." Roles bundle related permissions, often aligned with job functions like "developer," "auditor," or "admin." Users are assigned one or more roles.

Many systems add role hierarchies, where a senior role inherits the permissions of junior roles, and constraints such as separation of duties to prevent conflicting roles. Access decisions are simple: the system checks whether any of a user's roles grant the requested permission.

RBAC is implemented in operating systems, databases, Kubernetes, and cloud platforms like AWS IAM, as well as in application code.

Why It Matters

RBAC makes access management scalable and auditable. Administering permissions per individual is error-prone; managing a manageable set of roles is far simpler. When someone changes jobs, you adjust their roles rather than reworking dozens of individual grants.

RBAC directly supports least privilege by scoping roles tightly, and it makes audits clearer because reviewers examine roles rather than ad hoc permissions. Its limitation is rigidity: when access depends on dynamic context like time, location, or data attributes, attribute-based access control offers finer control, and the two are often combined.

Related Terms

RBAC implements least privilege and is often combined with attribute-based access control. It works alongside OAuth scopes and integrates with single sign-on and zero-trust models.