RBAC

RBAC stands for Role-Based Access Control. It is an access control method where permissions are assigned to roles, and users are assigned to one or more roles. Instead of granting individual permissions to each user (which becomes unmanageable at scale), RBAC groups permissions into named roles that map to job functions.

Common examples include roles like "viewer" (read-only access), "member" (read and write), and "admin" (full access including configuration and deletion). When a new employee joins, they receive a role. When they change teams, their role changes. When they leave, removing the role revokes all associated permissions at once.

The principle of least privilege, granting users only the minimum access they need, is a cornerstone of information security. RBAC makes least privilege practical. Without roles, an organization with 500 users and 50 permissions would need to manage 25,000 individual permission assignments. With RBAC, those 500 users map to a handful of roles, each with a defined permission set.

RBAC also provides auditability. During a compliance review or incident investigation, being able to answer "who had access to what, and why?" is critical. Roles make this straightforward: the user had the "member" role, which grants read and write access to asset data. No ambiguity, no guesswork.

RBAC pairs well with other access control mechanisms. Row-Level Security controls which data a user can see. RBAC controls what they can do with it. Enterprise SSO (via OIDC or SAML) controls how they authenticate. Together, these three layers provide defense-in-depth: even if one layer has a misconfiguration, the others limit the blast radius.

More advanced models build on RBAC. Attribute-Based Access Control (ABAC) adds context (time of day, device type, location) to access decisions. Policy-Based Access Control (PBAC) uses centralized policy engines. For most security teams, standard RBAC with well-defined roles covers the majority of access control needs without the complexity of these extensions.