Role-based access Ccntrol or RBAC is a method of governing system access and activity based on roles assigned to system users. With RBAC, the sysadmin assigns permissions to each role and each role can be assigned to as many or as few users as necessary. It is these permissions that enable, or by omission restrict, the potential activity of the user.
The permissions assigned to each role in role-based access control provide the user with only as much access as they need to perform their work. No more, no less. With this method of access control lower level employees are prevented from accessing and potentially manipulating or misusing (intentionally or otherwise) sensitive information. Permissions in RBAC typically fall into 3 categories:
If RBAC is designed and assigned correctly, no further changes should be necessary to the user’s access profile as long as they have a given role assigned to them. Should their status within the company change by way of promotion a new role with more wide-ranging permissions would likely be assigned that enables the user to carry out their new responsibilities.
Role-based access control enables organizations to create a variety of roles with attendant permissions that can be assigned to any new hire, or to users within the organization whose responsibilities change over time. For example:
The permissions assigned to each role enable the user to perform their job without hindrance. Should they determine they do not have access to all the resources necessary to do their work, they can petition to have their permissions expanded. In such cases the sysadmin may add permissions to their role, or more likely, simply assign them a different role that comes with the necessary permissions.
Role-based access control is typically used when an organization has a well-defined user base. It enables organizations to allow or restrict system access based on a given employee’s duties and responsibilities.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team