← All terms
Role-Based Access Control (RBAC)

What is Role-Based Access Control (RBAC)?

RBAC grants access based on roles rather than individuals: permissions are attached to roles, and users receive access by being assigned to those roles.

Last updated: 14 July 2026

How RBAC works

Role-based access control introduces a layer between users and permissions. Instead of granting each person individual rights in every system, administrators define roles that represent job functions — accountant, support engineer, HR specialist — and attach the required permissions to those roles. Users are then assigned to roles, and the access follows automatically.

A well-designed role model usually has two levels: business roles that map to what a person does in the organization, and technical roles or entitlements that map to concrete permissions in applications, such as group memberships, database grants, or application profiles. Role assignment can be manual, rule-driven based on attributes like department, or requested through an approval workflow.

When someone changes jobs, removing the old role and assigning the new one replaces dozens of individual permission changes with a single, auditable operation.

Why RBAC matters

Managing access person by person does not scale. It produces inconsistent permissions for people doing the same job, makes access reviews nearly impossible to reason about, and leaves stale rights behind whenever someone moves. RBAC turns access into something that can be modeled, reviewed, and audited at the level of job functions.

RBAC also supports least privilege in a practical way: because a role is defined once and reused, it is worth the effort to scope it tightly. Auditors and frameworks such as ISO 27001 and SOC 2 expect access to be granted on a defined, need-to-know basis, and a role model is the most common way organizations demonstrate that.

The main risk is role explosion — creating so many narrow roles that the model becomes as unmanageable as individual grants. Successful programs keep business roles coarse and handle exceptions through separate, time-bound entitlements.

RBAC in practice

Most organizations start by mining existing access: looking at what people in the same department or job title actually hold, and extracting common patterns into candidate roles. Roles for the highest-volume job functions deliver the most value first.

Once roles exist, they become the unit of automation. Joiner events assign birthright roles automatically, mover events swap roles, and access requests are expressed as role requests with clear owners and approvers. Periodic reviews then certify role definitions and role assignments separately, which is far more tractable than certifying raw permissions.

Identity platforms operationalize this pattern; Monosign, for example, uses role-based provisioning together with joiner-mover-leaver workflows so that role changes propagate to connected applications automatically.

Frequently asked questions

What is the difference between RBAC and ABAC?
RBAC decides access based on assigned roles; ABAC evaluates attributes of the user, resource, and context — department, data classification, location, time — against policies at request time. RBAC is simpler to audit; ABAC is more expressive. Many organizations combine them: roles for baseline access, attribute rules for contextual conditions.
How many roles should an organization have?
There is no fixed number, but a useful signal is the ratio of roles to users: if it approaches one role per user, the model has degenerated into individual grants. Keep business roles aligned to real job functions and push rare, specific needs into separately requested entitlements.
Does RBAC replace access reviews?
No. RBAC makes reviews easier and more meaningful, but role definitions drift and exceptions accumulate, so periodic certification of both role contents and role assignments is still required.