Compliance Glossary

What is Role-Based Access Control?

Definition

Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles rather than individual users, and users are assigned to roles based on their job functions. This simplifies administration and ensures consistent access provisioning.

In Depth

RBAC reduces the complexity of access management by abstracting permissions into roles that mirror organizational functions. Instead of granting individual permissions to each user, administrators define roles like "Developer," "Database Administrator," or "Support Agent" with appropriate permission sets, then assign users to roles as they join or change positions. This model naturally supports the principle of least privilege by limiting each role to only the permissions needed for that function. RBAC is essential for compliance because it provides a clear, auditable structure for access decisions. SOC 2 auditors can review role definitions and user-role assignments to verify appropriate access. ISO 27001 references RBAC through its access control policy requirements. For HIPAA, RBAC helps enforce the minimum necessary standard by restricting access to PHI based on job role. Common implementation pitfalls include role explosion (creating too many granular roles), orphaned roles (roles that no longer correspond to actual job functions), and privilege accumulation (users collecting roles without losing prior access).

Related Frameworks

SOC 2
GDPR
HIPAA
ISO 27001

Related Terms

Access Control

Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.

Least Privilege

The principle of least privilege dictates that users, systems, and processes should be granted only the minimum level of access necessary to perform their legitimate functions. Access rights should be regularly reviewed and promptly revoked when no longer needed.

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors to access a system. Factors include something you know (password), something you have (security token), and something you are (biometric).

Compare FrameworksSolutions by Industry

Generate compliance docs with PoliWriter

Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.

Get Started Free