Definition and Purpose

Role-Based Access Control (RBAC) is a method of managing access to resources and locations based on role-defined permissions. These permissions are based on the specific responsibilities and tasks that a user in that role must perform. A standard was formalized in 1992 by Ferraiolo and Kuhn for NIST.

In an RBAC system, all users are assigned roles (along with their pre-defined permissions), with access being controlled based on roles instead of individual identities. Then when a user then tries to access a resource, location, or perform a restricted action, they must prove their role has the correct permissions in order to be granted access, or else it is denied.

Key Components of Successful RBAC

There are many components that make up a successful RBAC system. This includes many tasks that must be performed regularly to mitigate risk of improper

• Roles/Permissions - Well-defined roles that represent job characteristics within the organization. These may be enforced with various role-identification solutions like tokens or key cards.
• Access Control Lists - Lists specifying users' roles, and thus their permissions and accessible resources.
• Centralized Administration Interface - A system that allows administrators to manage roles and their permissions, as well as a provide a clear overview of users' roles.
• Access Reviews - Regular audits that ensure users have roles that are consistent with their roles and responsibilities.
• Training and Documentation - Thorough training and documentation are crucial in long-term maintenance, making sure that both users and administrators understand the principles of the system.