/roʊl beɪst ˈæk.sɛs kənˌtroʊl/
noun — "permissions assigned by roles."
Role-Based Access Control, abbreviated RBAC, is an access control methodology where permissions to perform operations on resources are assigned to roles rather than individual users. Users are then assigned to these roles, inheriting the associated permissions. This model simplifies administration, improves security, and scales efficiently in environments with many users and resources.
Technically, RBAC defines several key elements: users, roles, permissions, and sessions. Users are accounts or identities that require access. Roles are logical groupings representing job functions or responsibilities. Permissions define allowed actions on resources, such as read, write, execute, or administrative operations. Sessions represent active user interactions, mapping a user to one or more roles temporarily for access evaluation. RBAC supports hierarchical roles, where senior roles inherit permissions from subordinate roles, and constraints, such as separation of duties, to enforce policy compliance.
Operationally, when a user requests access to a resource, the system checks the roles assigned to that user. The roles’ permissions are evaluated against the requested operation. Access is granted if at least one role permits the action. This abstraction decouples user management from permission assignment, reducing the risk of errors and simplifying auditing. In enterprise systems, RBAC integrates with directories, identity providers, and authentication mechanisms to provide centralized control.
Example of RBAC logic:
define roles:
admin -> {read, write, delete}
editor -> {read, write}
viewer -> {read}
assign users:
alice -> admin
bob -> editor
charlie -> viewer
access check:
if requested_action in user.roles.permissions then
allow access
else
deny access
This example shows users inheriting permissions via roles. Alice, as an admin, can read, write, and delete files. Bob, an editor, can read and write but not delete. Charlie, a viewer, can only read.
In practice, RBAC is widely applied in operating systems, databases, enterprise applications, cloud platforms, and API gateways. It enables consistent policy enforcement across multiple resources, supports auditing, and minimizes direct user-permission mappings, reducing administrative overhead and potential misconfigurations.
Conceptually, RBAC is like assigning keys based on job function rather than person: a “manager key” opens all manager-required doors, an “editor key” opens editor doors, and a “viewer key” only opens viewing doors. Users carry the key corresponding to their role, simplifying control and scaling security.
See Access Control, EFS, FEK.