Published: 20 August 2024
Contributors: Gregg Lindemulder, Matt Kosinski
Role-based access control (RBAC) is a model for authorizing end-user access to systems, applications and data based on a user’s predefined role. For example, a security analyst can configure a firewall but can’t view customer data, while a sales rep can see customer accounts but can’t touch firewall settings.
In an RBAC system, an administrator assigns each individual user one or more roles. Each new role represents a set of permissions or privileges for the user.
A finance role might authorize a user to make purchases, run forecasting software or grant access to supply chain systems. A human resources role might authorize a user to see personnel files and manage employee benefits systems.
Large organizations with many employees often use RBAC to simplify access management and maintain information security for digital resources. Some businesses also use RBAC to grant security clearance for physical assets such as electronic locks on buildings, offices and data centers.
By restricting users’ access to the resources needed for their roles, RBAC can help defend against malicious insiders, negligent employees and external threat actors.
Learn why KuppingerCole says IBM is a leader in providing mature, scalable and secure enterprise authentication solutions.
A role-based access control system enables organizations to take a granular approach to identity and access management (IAM) while streamlining authorization processes and access control policies. Specifically, RBAC helps organizations:
- Assign permissions more effectively
- Maintain compliance
- Protect sensitive data
Assign permissions more effectively
RBAC eliminates the need to provision each individual user with a customized set of user permissions. Instead, defined RBAC roles determine access rights. This process makes it easier for organizations to onboard or offboard employees, update job functions and transform business operations.
The benefits of RBAC also include the ability to quickly add access permissions for contractors, vendors and other third-party users. For example, a comarketing role assignment might grant an external business partner application programming interface (API) access to product-related databases. That way, the user has access to the information they need but none of the company’s confidential resources are exposed.
Maintain compliance
Implementing RBAC also helps businesses comply with data protection regulations, such as mandates that cover financial services and healthcare organizations. RBAC provides transparency for regulators regarding who, when and how sensitive information is being accessed or modified.
Protect sensitive data
RBAC policies help address cybersecurity vulnerabilities by enforcing the principle of least privilege (PoLP). Under PoLP, user roles grant access to the minimum level of permissions required to complete a task or fulfill a job. For example, a junior developer might have permission to work on an app’s source code, but can’t commit changes without a supervisor’s approval.
By limiting access to sensitive data, RBAC helps prevent both accidental data loss and intentional data breaches. Specifically, RBAC helps curtail lateral movement, which is when hackers use an initial network access vector to gradually expand their reach across a system.
According to the X-Force® Threat Intelligence Index, valid account abuse—in which hackers take over legitimate users’ accounts and use their privileges to cause harm—is the most common cyberattack vector. RBAC mitigates the damage that a hacker can do with a user’s account by limiting what that account can access in the first place.
Similarly, insider threats are one of the costliest causes of data breaches. According to the Cost of a Data Breach Report, breaches caused by malicious insiders cost an average of USD 4.99 million, higher than the overall average breach cost of USD 4.88 million.
By limiting user permissions, RBAC makes it harder for employees to maliciously or negligently misuse their access privileges to harm the organization.
In an RBAC system, organizations must first create specific roles and then define which permissions and privileges those roles will be granted. Organizations often begin by broadly separating roles into three top-level categories of administrators, specialists or expert users and end users.
To further configure different roles for specific sets of users, more fine-grained factors such as authority, responsibilities and skill levels are considered. Sometimes, a role might correspond directly to a job title. In other cases, the role might be a collection of permissions that can be assigned to a user who meets certain conditions, regardless of their job title.
Users are often assigned multiple roles or might be assigned to a role group that includes several levels of access. Some roles are hierarchical and provide managers with a complete set of permissions, while roles below them receive a subset of those role permissions. For instance, a supervisor’s role might grant that user write access to a document, while team members have read access only.
An example of RBAC in action
- An IT administrator at a hospital creates an RBAC role for “Nurse.”
- The administrator sets permissions for the Nurse role, such as viewing medications or entering data into an electronic health record (EHR) system.
- Members of the nursing staff at the hospital are assigned the RBAC Nurse role.
- When users assigned to the Nurse role log on, RBAC checks which permissions they are entitled to and grants them access for that session.
- Other system permissions such as prescribing medications or ordering tests are denied to these users because they are not authorized for the Nurse role.
Many organizations use an identity and access management (IAM) solution to implement RBAC across their enterprises. IAM systems can help with both authentication and authorization in an RBAC scheme:
- Authentication: IAM systems can verify a user’s identity by checking their credentials against a centralized user directory or database.
- Authorization: IAM systems can authorize users by checking their roles in the user directory and granting the appropriate permissions based on that role in the organization’s RBAC scheme.
The National Institute of Standards and Technology (NIST), which developed the RBAC model, provides three basic rules for all RBAC systems.
- Role assignment: A user must be assigned one or more active roles to exercise permissions or privileges.
- Role authorization: The user must be authorized to take on the role or roles they have been assigned.
- Permission authorization: Permissions or privileges are granted only to users who have been authorized through their role assignments.
There are four separate models for implementing RBAC, but each model begins with the same core structure. Each successive model builds new functionality and features upon the previous model.
- Core RBAC
- Hierarchical RBAC
- Constrained RBAC
- Symmetric RBAC
Core RBAC
Sometimes called Flat RBAC, this model is the required foundation for any RBAC system. It follows the three basic rules of RBAC. Users are assigned roles, and those roles authorize access to specific sets of permissions and privileges. Core RBAC can be used as a primary access control system, or as the basis for more advanced RBAC models.
Hierarchical RBAC
This model adds role hierarchies that replicate the reporting structure of an organization. In a role hierarchy, each role inherits the permissions of the role beneath it and gains new permissions.
For example, a role hierarchy might include executives, managers, supervisors and line employees. An executive at the top of the hierarchy would be authorized for a full set of permissions, while managers, supervisors and line employees would each be granted successively smaller subsets of that permission set.
Constrained RBAC
In addition to role hierarchies, this model adds capabilities for enforcing separation of duties (SOD). Separation of duties helps prevent conflicts of interest by requiring two people to complete certain tasks.
For example, a user who requests reimbursement for a business expense should not be the same person who approves that request. Constrained RBAC policy ensures that user privileges are separated for these types of tasks.
Symmetric RBAC
This model is the most advanced, flexible and comprehensive version of RBAC. In addition to the capabilities of the previous models, it adds deeper visibility into permissions across an enterprise.
Organizations are able to review how each permission maps to each role and each user in the system. They can also adjust and update the permissions associated with roles as business processes and employee responsibilities evolve.
These features are especially valuable to large organizations that must ensure that every role and every user has the least amount of access required to carry out tasks.
There are other access control frameworks that organizations might use as an alternative to RBAC. In some use cases, organizations combine RBAC with another authorization model to manage user permissions. Commonly used access control frameworks include:
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
- Access control list (ACL)
Mandatory access control (MAC)
MAC systems enforce centrally defined access control policies across all users. MAC systems are less granular than RBAC, and access is typically based on set clearance levels or trust scores. Many operating systems use MAC to control program access to sensitive system resources.
Discretionary access control (DAC)
DAC systems enable the owners of resources to set their own access control rules for those resources. DAC is more flexible than the blanket policies of MAC, and less restrictive than the structured approach of RBAC.
Attribute-based access control (ABAC)
ABAC analyzes the attributes of users, objects and actions—such as a user’s name, a resource’s type and the time of day—to determine whether access will be granted. RBAC can be easier to implement than ABAC because RBAC uses organizational roles rather than each individual user’s attributes to authorize access.
The difference between RBAC and ABAC is that ABAC dynamically determines access permissions in the moment based on several factors, while RBAC determines access permissions based solely on the user’s predefined role.
Access control list (ACL)
ACL is a basic access control system that references a list of users and rules to determine who can access a system or resource, and which actions they may perform.
The difference between ACL and RBAC is that an ACL individually defines the rules for each user, while RBAC systems assign access rights based on roles.
For large organizations, RBAC is considered a better option for access control because it is more scalable and easier to manage than ACL.
Protect and manage customer, workforce and privileged identities across the hybrid cloud, infused with AI.
Build an effective, product-agnostic identity fabric that reduces the complexity of identity management.
Improve security through role-based access control at the action block level.
You can help your security and IT teams better manage risk and potential losses with these essential insights.
You can better protect your people, data and infrastructure by understanding the latest cyberattack tactics.
Identity and access management (IAM) is the cybersecurity discipline that deals with how users access digital resources and what they can do with those resources.