Skip to main content

Role-Based Access Control

info

This content is adapted from Okta documentation.

The main difference between RBAC vs. ABAC is the way each method grants access. RBAC techniques allow you to grant access by roles. ABAC techniques let you determine access by user characteristics, object characteristics, action types, and more.

What Is Role-Based Access Control?

Someone logs into your computer system. What can that person do? If you use RBAC techniques, the answer to that question depends on that person's role.

A role in RBAC language typically refers to a group of people that share certain characteristics, such as:

  • Departments
  • Locations
  • Seniority levels
  • Work duties

With a role defined, you can assign permissions. Those might involve:

  • Access. What can the person see?
  • Operations. What can the person read? What can the person write? Can the person create or delete files?
  • Sessions. How long can the person stay in the system? When will the login work? When will the login expire?

NIST RBAC Types

The National Institute of Standards and Technology defines four subtypes of RBAC in case you need a bit more flexibility.

  • Flat: All employees have at least one role that defines permissions, but some have more than one.
  • Hierarchical: Seniority levels define how roles work together. Senior executives have their own permissions, but they also have those attained by their underlings.
  • Constrained: Separation of duties is added, and several people work on one task together. This helps to ensure security and prevent fraudulent activities.
  • Symmetrical: Role permissions are reviewed frequently, and permissions change as the result of that review.

These roles build upon one another, and they can be arranged by security level.

  • Level 1, Flat: This is the least complex form of RBAC. Employees use roles to gain permissions.
  • Level 2, Hierarchical: This builds on the Flat RBAC rules, and it adds role hierarchy.
  • Level 3, Constrained: This builds on Hierarchical RBAC, and it adds separation of duties.
  • Level 4, Symmetrical: This builds on the Constrained RBAC model, and it adds permission reviews.