Role-based Access Control (RBAC)

Authentication & Authorization 🔐 • Governance (GRC) 📜 • Sec+ Glossary 📖 • Difficulty: premium

What is Role-based Access Control (RBAC)?

Role-based Access Control, or RBAC, is an access control model in which permissions are assigned to defined job roles, and users receive access by being placed into the appropriate role.

Examples

A payroll administrator is placed in a finance role that allows access to salary systems, while ordinary employees cannot view that data.
A help desk technician receives a support role that allows password resets but not full server administration.

Discover 🔎

As organizations grow, access control becomes difficult to manage person by person. If every employee is granted permissions one at a time, the result is usually a messy collection of exceptions, forgotten privileges, and inconsistent decisions. Over time, nobody is fully sure who should have what.

RBAC solves that problem by tying access to work function instead of personal preference. A person receives access because they are a member of a role, and that role has already been defined with the permissions needed for the job. This makes the access model easier to understand, easier to audit, and easier to scale.

Remember: RBAC is built around job responsibility. The role comes first, and the user inherits access through that role.

Summary 📝

RBAC is an access control model that assigns permissions to roles and then assigns users to those roles. Its main strength is that it organizes access around job responsibility instead of individual custom decisions. When designed well, RBAC improves consistency, simplifies administration, supports least privilege, and makes access easier to review and govern.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.