Role-Based Access Control (RBAC) is a critical method of security when it comes to controlling who has access to resources and what they can do with those resources.  With RBAC, several roles are defined for a resource that dictate what actions that role can take on that resource.  For example, there may be a role that allows full access to the resource, another role that only has the ability to view the resource but not make changes, and another role that can only modify certain parts of the resource.  These roles can then be applied to the appropriate groups which users are a part of.

RBAC is most common when setting security permissions for file shares on a network.  Three roles are generally definitely with Full Access, Read-Only Access, and No Access to the file share.  This idea can be further implemented into software applications with different roles having different levels of access to the features of the software application.  A piece of accounting software may have a role for full access of the data and accounts, a role for data entry only into the accounts (no ability to modify or delete entries that weren’t created by the user), a role to create new accounts or modify existing accounts, and a role with read only access to the accounts for auditing purposes. 

Groups will then be defined by the roles they are granted.  The Human Resources group may have the full access role to the Company Policies file share so they may modify documents within, while everyone else has the read-only access role so they can only view the documents. 

All that’s left to do is assign the necessary users to the necessary groups based on the requirements of their job.  This also makes auditing a user’s access to meet various compliancy requirements easy.  If an employee moves into a different department, you simply have to remove them from their old group and add them to the new group.

Role-Based Access Control is essential for implementing the rule of least privilege, which says a user has the least amount of privilege and access they need to do their job and no more.  Any additional access that needs granted should be approved by a supervisor or administrator.