Glossary / Authorization
Role-Based Access Control (RBAC)
Role-based access control grants permissions to roles rather than directly to users, so a person gets access by being assigned a role that bundles the permissions for a job or function.
Also: RBAC
Role-based access control organizes permissions around roles. Instead of granting rights to each user one by one, an administrator defines roles such as admin, editor, or viewer, attaches permissions to those roles, and assigns roles to users. Changing what a role can do updates every user who holds it.
RBAC is simple to reason about and remains the default model in most systems. Its limit shows up when access depends on context or on a specific relationship, such as a user who may edit only the documents they own, where a small set of roles cannot capture every case without multiplying into hundreds.
For CIAM and the applications behind it, RBAC usually handles the broad strokes, and attribute-based or fine-grained authorization fills in the cases where roles alone are too coarse.
Sources
- NIST Role-Based Access Control: https://csrc.nist.gov/projects/role-based-access-control
Related terms
Standards
- NIST RBAC