Digital Internet Marketing

What is RBAC? Role-based access control explained

Access control setting on a virtual display [authentication/privileges]
Written by publisher team

Role-based access control, or RBAC, is an approach for restricting access to digital resources based on a user’s role in an organization. For instance, under RBAC, a company’s accountant should be able to access corporate financial records but not the content management system used to update the company’s website, while those permissions would be reversed for that company’s web development team.

Just about every organization enforces some kind of access controls on its digital assets—indeed, every operating system in use today has access controls built in. Access controls generally grant specific permissions to (and impose restrictions on) individual users or groups that those users may belong to. What distinguishes the RBAC model from other forms of access control is that the users are grouped together based on the roles they play, and permissions are determined primarily by those roles, rather than being tailored for each individual user. In this article, you’ll learn how RBAC works, and see the advantages and disadvantages of this approach.

How RBAC works

RBAC is fundamentally based on what’s known as the principle of least privilege, which essentially says that any user should have access to the data and functionality they need and nothing else. This sounds reasonable in theory, but one of the central dilemmas when implementing access controls is how make that work in practice: how do you determine what users will need to do, and how do you apply permissions and restrictions to all your users in a way that doesn’t burden administrators?

RBAC solves these problems in a way that’s based on what users do rather than who they are. Rather than establishing a bespoke set of permissions for each user, under RBAC there is a limited set of predefined roles within an organization, and every user fulfills one (or more) of those roles. A set of permissions is tailored for each role to meet its particular needs and is inherited by all the users who fulfill that role. If the permissions for a role need to be changed, those changes are similarly passed on to the users, which eases the system’s administration.

RBAC roles

Roles are, obviously, at the heart of role-based access control. But it’s important to keep in mind that the definition of roles is an administrative and conceptual exercise, not a technical one. As far as the underlying systems are concerned, each of these roles is just a group of users; It’s up to your organization to define what the logical division of roles is for your staff and who falls into each category, and this is one of the most important parts of the process of rolling out RBAC.

As such, roles could differ greatly from organization to organization. That said, most enterprises will establish roles based in one way or another on their own internal organizational structure. On its blog, security vendor UpGuard gives some examples of roles broken out in this way and the applications they would have permissions to access:

Copyright © 2022 IDG Communications, Inc.

About the author

publisher team