Role-Based Access Control (RBAC)
What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC)An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
Role-Based Access Control assigns permissions to abstract roles (for example, "billing-admin" or "read-only auditor") and grants users access by adding them to those roles. This indirection simplifies administration, supports separation of duties, and makes audits straightforward because permissions are documented per role rather than per user. RBAC is the dominant model in enterprise IAM, cloud platforms (AWS IAM, Azure RBAC, Kubernetes RBAC), and ERP systems. Its main weakness is role explosion in large organisations where business needs are highly granular; this often pushes teams toward hybrid approaches that combine RBAC with attribute-based rules.
● Examples
- 01
A Kubernetes ClusterRole that allows listing pods, bound to the "sre" group.
- 02
An AWS IAM role granting EC2 read-only access, assumed by a CI/CD pipeline.
● Frequently asked questions
What is Role-Based Access Control (RBAC)?
An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments. It belongs to the Identity & Access category of cybersecurity.
What does Role-Based Access Control (RBAC) mean?
An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
How do you defend against Role-Based Access Control (RBAC)?
Defences for Role-Based Access Control (RBAC) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Role-Based Access Control (RBAC)?
Common alternative names include: RBAC.