Skip to content

Engineering glossary

Role-Based Access Control(RBAC)

Role-based access control (RBAC) is an authorization model in which permissions are assigned to roles and users receive permissions through their role assignments.

In plain language

RBAC answers what an authenticated user is allowed to do. A role such as billing administrator can group several permissions, making access easier to review than scattered user-by-user rules.

Why it matters to a business

  • Makes permission policy easier to explain and audit
  • Supports consistent onboarding, role changes, and offboarding
  • Reduces repeated permission logic across product workflows

How it works

  1. 1Teams define granular permissions around resources and actions.
  2. 2Permissions are grouped into roles that reflect responsibilities.
  3. 3Users or service identities receive roles within an appropriate scope.
  4. 4Every protected operation enforces authorization at a trusted boundary.

Common use cases

  • Separating administrators, operators, and viewers
  • Restricting finance actions to approved roles
  • Applying organization-specific roles in a portal

Important implementation decisions

  • Permission granularity and naming
  • Global, tenant, project, or record scope
  • Role assignment authority and approval
  • Audit history and periodic access review

Common mistakes and misconceptions

  • Checking permissions only in the interface
  • Using authentication as proof of authorization
  • Creating a unique role for every user
  • Embedding tenant isolation solely in role names

Limitations and trade-offs

RBAC is understandable but can become rigid when access depends heavily on attributes or relationships.

Complex systems may combine roles with contextual or attribute-based policy.

Authoritative references

Need to apply this concept to a real system?

A focused technical discussion can identify the decisions and constraints that matter before implementation.