Role-Based Access Control (RBAC)
RBAC is an access control model where permissions are assigned to roles, and users are assigned to roles. It simplifies access management by grouping related permissions together, making it easier to grant and revoke access based on job function.
# WHAT TEAMS RUN INTO
- —
Roles accumulate and become sprawling. Over time, roles gain more permissions than anyone actually needs. Nobody wants to delete a role because it might break something, so roles grow indefinitely.
- —
Role boundaries don't match organizational reality. A 'Developer' role in one team needs different permissions than a 'Developer' role in another team, forcing organizations to create 'Developer-Team-A' and 'Developer-Team-B' variants.
- —
RBAC doesn't handle context or temporal access. A user needs admin access for an emergency, but RBAC is binary — either they have the role or they don't. Organizations either grant excess standing privilege or create painful workarounds.
# WHY IT MATTERS
RBAC is the simplest access control model that works at scale. Without roles, access management becomes individual account by individual account — an unbounded problem. Roles create structure. But roles only work if they are maintained and if they reflect reality. When roles become dumping grounds for permissions, the access control system becomes invisible again.