Role-Based Access Control
What is RBAC (Role-Based Access Control)?
RBAC (Role-Based Access Control) is an authorization model that grants permissions to roles rather than directly to users, then assigns users to roles. A user's access is the sum of their roles' permissions, which makes access consistent, easy to manage, and simple to audit.
How RBAC works
In RBAC, permissions describe allowed actions on resources (for example, “edit invoices”). Those permissions are grouped into roles such as Admin, Editor, or Viewer. Users are then assigned roles, and inherit every permission their roles carry.
This indirection is the point: instead of managing thousands of individual user-to-permission grants, administrators manage a handful of roles. Onboarding becomes “assign a role,” access reviews become “list who has each role,” and changing what a role can do updates every member at once.
RBAC vs. ABAC vs. fine-grained authorization
RBAC decides access based on roles. ABAC (Attribute-Based Access Control) decides based on attributes of the user, resource, and context — enabling rules like “managers can approve expenses under $5,000 in their own region.” ABAC is more expressive but harder to reason about.
Fine-grained authorization (FGA), popularized by Google's Zanzibar model, evaluates access per individual object and relationship — “can this user view this specific document?” Many real systems combine models: RBAC for coarse roles, plus ABAC or FGA for the fine-grained cases.
RBAC in multi-tenant apps
In B2B SaaS, roles are usually scoped per tenant, so a user can be an Admin in one organization and a Viewer in another. Getting this isolation right is essential: a role assignment must never leak permissions across tenant boundaries.
Frequently asked questions
- What is the difference between RBAC and ABAC?
- RBAC grants access based on a user's roles. ABAC grants access based on attributes of the user, resource, and environment, allowing more dynamic, context-aware rules. ABAC is more flexible but more complex to design and audit.
- What are examples of RBAC roles?
- Common roles include Owner, Admin, Editor, Member, and Viewer. Each bundles a set of permissions, and users inherit the permissions of every role they are assigned.
- Can RBAC and fine-grained authorization be used together?
- Yes. Many systems use RBAC for broad, role-level access and add fine-grained authorization (FGA/ReBAC) for per-object decisions, such as sharing a specific document with a specific user.
Related terms
Add auth to your app in minutes
Authentication, SSO, MFA, RBAC, SCIM, and multi-tenant identity — with developer-first APIs and a console non-devs can use.