← Lessons

quiz vs the machine

Silver1050

Security

Role Based Access Control

Group permissions into roles so access stays manageable as your system grows.

4 min read · intro · beat Silver to climb

The Problem With Per User Permissions

Granting permissions directly to each user does not scale. With thousands of users and hundreds of actions, the matrix becomes impossible to audit, and people quietly accumulate access they no longer need.

How RBAC Works

Role Based Access Control introduces a layer between users and permissions. Permissions attach to roles, and users are assigned roles. Changing what a role can do updates everyone holding that role at once.

  • A permission is the right to perform an action on a resource, such as read invoices.
  • A role is a named bundle of permissions, such as accountant.
  • A user is assigned one or more roles.

Why It Helps Defense

  • Access reviews check role assignments, which is far easier than per user grants.
  • Onboarding and offboarding become add or remove a role rather than chasing scattered grants.
  • It supports separation of duties by keeping conflicting roles apart.

Key idea

RBAC binds permissions to roles and users to roles, making access predictable, reviewable, and easy to revoke at scale.

Check yourself

Answer to earn rating on the learn ladder.

1. In RBAC, what do permissions attach to directly?

2. Why does RBAC ease access reviews?