Engineering glossary
Role-Based Access Control(RBAC)
Role-based access control (RBAC) is an authorization model in which permissions are assigned to roles and users receive permissions through their role assignments.
In plain language
RBAC answers what an authenticated user is allowed to do. A role such as billing administrator can group several permissions, making access easier to review than scattered user-by-user rules.
Why it matters to a business
- Makes permission policy easier to explain and audit
- Supports consistent onboarding, role changes, and offboarding
- Reduces repeated permission logic across product workflows
How it works
- 1Teams define granular permissions around resources and actions.
- 2Permissions are grouped into roles that reflect responsibilities.
- 3Users or service identities receive roles within an appropriate scope.
- 4Every protected operation enforces authorization at a trusted boundary.
Common use cases
- Separating administrators, operators, and viewers
- Restricting finance actions to approved roles
- Applying organization-specific roles in a portal
Important implementation decisions
- Permission granularity and naming
- Global, tenant, project, or record scope
- Role assignment authority and approval
- Audit history and periodic access review
Common mistakes and misconceptions
- Checking permissions only in the interface
- Using authentication as proof of authorization
- Creating a unique role for every user
- Embedding tenant isolation solely in role names
Limitations and trade-offs
RBAC is understandable but can become rigid when access depends heavily on attributes or relationships.
Complex systems may combine roles with contextual or attribute-based policy.
Authoritative references
Need to apply this concept to a real system?
A focused technical discussion can identify the decisions and constraints that matter before implementation.