bg
All features

Role-based access control (RBAC)

Ensure that only users with a specific role can access certain resources or perform specific actions.

What is Role-Based Access Control (RBAC)?

Role-based access control (RBAC) is an approach to restricting system access to authorized users. In RBAC, permissions are associated with roles, and users are assigned appropriate roles. This ensures that only users with the necessary role can access certain resources or perform specific actions.

What are the benefits of RBAC?

RBAC is a helpful control model used by organizations to establish and police access to their digital resources. RBAC is widely accepted as an effective method of access control, particularly for organizations with an IT infrastructure and requirements that span a multitude of systems and applications. With RBAC roles and privileges can be easily assigned to users effectively regulating their activity within the system, reducing the threat of unauthorized access to sensitive information and ensuring the integrity of data that is vital to the smooth operation of the enterprise.

RBAC in action with Cerbos


        

      

      
apiVersion: api.cerbos.dev/v1
resourcePolicy:
 version: default
  resource: rbacExample
  rules:
    # If the principal's role is ADMIN then all the actions are allowed.
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - ADMIN

    # If the principal's role is USER or MANAGER then creating and reading is allowed.
    - actions:
        - create
        - read
      effect: EFFECT_ALLOW
      roles:
        - USER
        - MANAGER

    # If the principal's role is MANAGER then they can also update
    - actions:
        - update
      effect: EFFECT_ALLOW
      roles:
        - MANAGER

In this policy for a purchase order a user is granted permission to do defined actions based on their role. Admins can do all actions, users can create and read, and managers can also update a PO.

Try out this pre-built policy in the Cerbos Playground

Key components of role-based access control

The following represent the key characteristics of a role-based access control system and are common to all such systems regardless of the size of the organization or the complexity of its digital infrastructure.

Roles: For the purposes of access to digital assets roles are typically assigned based on job functions, responsibilities and other attributes. For instance, within a given organization roles may include admin, manager and employee. Each role is then assigned a variety of permissions based on the person’s job description. Some will have extremely limited access while others will have carte blanche.

Permissions: RBAC relies on permissions being assigned to various roles. These permissions specify which digital assets a user will have access to along with the specific actions they will be able to perform in relation to those assets. For example, both an employee and a manager may be able to view a certain file but only the manager will have permission to alter its content or delete it.

Users: Without users, there is no need for role-based access controls. Users are those individuals, processes or applications that need to interact with the system. Each user is assigned a role based on their responsibilities. In some cases, a user may be assigned more than one role.

Resources: Resources - also referred to as “objects” - are those digital assets users will need to access, manipulate or perhaps execute. Resources include files, databases, servers, scripts and other components of the computer infrastructure.

Establishing Relationships Between Roles and Permissions

RBAC establishes both roles and permissions and then combines them in a way that ensures the integrity of an organization’s digital resources. Basic RBAC principles include:

  • Establishing roles: Before roles can be assigned they must be established.
  • Defining permissions: Permissions are based on the digital assets involved and their sensitivity.
  • Assigning permissions to roles: Each role is then assigned one or more permissions.
  • Assigning roles: Roles are then assigned to the various users.
  • Least privilege: Roles are assigned using the principle of least privilege whereby users are given the minimum access they need to perform their designated functions.
  • Access control: Once roles have been assigned they are used to provide access control.

Conclusion

Role-based access control offers a variety of benefits including scalability, simple administration and robust accountability via a clear audit trail. Organization-wide changes can be automatically implemented by simply modifying a given permission or role. This makes RBAC one of the most cost-effective methods of access control for large organizations.

Join hundreds of leading companies using Cerbos

The world's leading crypto finance house serving people, projects, protocols and institutions since 2011.
Utility Warehouse synchronizes authorization across 4,500 services and secures millions of NHIs.
One of the world's leading automobile manufacturers.
Flash eliminates authorization technical debt and doubles corporate card spending with Cerbos.
4G Capital saves a quarter-million dollars per year with Cerbos.
An employee experience that people love.
Creating a world where workplaces work better.
BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%.
Enabling all healthcare stakeholders to easily share information and work together.
Most secured and interactive NG911 cloud native communications platform for mission-critical contact centers.
The number 1 company in Italy to buy and sell.
Enhancing and accelerating the software development lifecycle.
Protecting user data with true end-to-end encryption.
The leading European analyst firm in identity and access management.
Modern and digital survey solutions for companies.
Complex (NTWRK) makes a complex access control system easy to manage with Cerbos.
The experts in medical imaging technology.
Making the world a better place to work together.
An early stage tech venture investor.
The collaborative platform to build conversational AI.
Human Managed creates a future-proof ABAC engine with Cerbos.
The fastest development platform.
Delivering innovative solutions to track and certify data and operations.
The leading contract creation and collaboration platform.
One of the world's fastest-growing global technology services provider.
9fin modifies product packaging in 10 minutes.
Cerbos helps Salesroom save over $1MM worth of developer time.
People analytics platform: Fast track to the insights behind your people data.
Advanced malware and phishing analysis.
Leading search intelligence platform for the open web.
Logistics payments without the logistics.
Nook onboards 3x more users by implementing granular roles and permissions.
A react-based framework for building internal tools, rapidly.
Debite accelerates compliance certification and ships products faster.
Supy offers dynamic role management to their clients with Cerbos.
Loop secures air-gapped cash deposit machines with Cerbos.
Making the world a better place to work together.
Build and manage residential investment portfolios.
Securely manage application secrets and configurations.
A discussion-first platform without language issues.
Collaborative team design canvas that equips tech leaders to make smarter org design decisions.
The world's leading crypto finance house serving people, projects, protocols and institutions since 2011.
Utility Warehouse synchronizes authorization across 4,500 services and secures millions of NHIs.
One of the world's leading automobile manufacturers.
Flash eliminates authorization technical debt and doubles corporate card spending with Cerbos.
4G Capital saves a quarter-million dollars per year with Cerbos.
An employee experience that people love.
Creating a world where workplaces work better.
BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%.
Enabling all healthcare stakeholders to easily share information and work together.
Most secured and interactive NG911 cloud native communications platform for mission-critical contact centers.
The number 1 company in Italy to buy and sell.
Enhancing and accelerating the software development lifecycle.
Protecting user data with true end-to-end encryption.
The leading European analyst firm in identity and access management.
Modern and digital survey solutions for companies.
Complex (NTWRK) makes a complex access control system easy to manage with Cerbos.
The experts in medical imaging technology.
Making the world a better place to work together.
An early stage tech venture investor.
The collaborative platform to build conversational AI.
Human Managed creates a future-proof ABAC engine with Cerbos.
The fastest development platform.
Delivering innovative solutions to track and certify data and operations.
The leading contract creation and collaboration platform.
One of the world's fastest-growing global technology services provider.
9fin modifies product packaging in 10 minutes.
Cerbos helps Salesroom save over $1MM worth of developer time.
People analytics platform: Fast track to the insights behind your people data.
Advanced malware and phishing analysis.
Leading search intelligence platform for the open web.
Logistics payments without the logistics.
Nook onboards 3x more users by implementing granular roles and permissions.
A react-based framework for building internal tools, rapidly.
Debite accelerates compliance certification and ships products faster.
Supy offers dynamic role management to their clients with Cerbos.
Loop secures air-gapped cash deposit machines with Cerbos.
Making the world a better place to work together.
Build and manage residential investment portfolios.
Securely manage application secrets and configurations.
A discussion-first platform without language issues.
Collaborative team design canvas that equips tech leaders to make smarter org design decisions.

Find out more

Features, benefits & use cases

Features, benefits & use cases

Fit Cerbos seamlessly into your tech stack

Playground

Playground

Prototype policies in your browser right now

Cerbos Hub

Cerbos Hub

Implement roles & permissions in your app

Speak to an engineer

Speak to an engineer

Book an intro call and learn more