Role-based access control (RBAC) is a method for controlling what users are able to do within a company's IT systems. RBAC accomplishes this by assigning one or more "roles" to each user, and giving each role different permissions. RBAC can be applied for a single software application or across multiple applications.
Think of a house where several people live. Each resident gets a copy of the key that opens the front door: they do not receive differently designed keys that all open the front door. If they need to access another part of the property, such as the storage shed in the backyard, they may receive a second key. No residents receive a unique key for the shed, or a special key that opens both the shed and the front door.
In RBAC, the roles are static, like the keys to the house in the example above. They are the same for whoever has them, and anyone who needs more access gets assigned an additional role (or a second key), instead of getting customized permissions.
Theoretically, this role-based approach to access control makes it relatively simple to manage user permissions, since permissions are not tailored to individual users. However, in large enterprises with many roles and many applications, RBAC sometimes becomes complex and hard to track, and users may end up with more permissions than they need as a result.
In cyber security, access control refers to tools for restricting and controlling what users are able to do and what data they are able to see. Entering a passcode to unlock a smartphone is one basic example of access control: only someone who knows the passcode is able to access the files and applications on the phone.
One's position in a company may be referred to as a "role." But a role has a more technical definition in RBAC: it is a clearly defined set of abilities, or permissions, for use within company systems. Each internal user has at least one role assigned to them, and some may have multiple roles.
Roles are generic and are not tailored to any one employee within an organization. For example, a salesperson would not receive permissions set up specifically for their user account. Instead, they would be assigned the "salesperson" role and all accompanying permissions, such as the ability to view and edit the customer account database. Other salespeople on the team would be assigned the same role. If a specific salesperson needed expanded permissions, they would be assigned an additional role.
This approach does make adding or removing a user relatively simple — instead of editing permissions for individual users, an administrator can simply change their role.
In the context of access control, a permission is the ability to perform an action. One example could be the ability to upload a file to a company database. A trusted user — say, an internal employee — will have permission to upload files, while an external contractor may not have this ability. In RBAC, every possible role comes with a set of permissions.
Attribute-based access control, or ABAC, is an alternative method for controlling access within an organization. ABAC is somewhat similar to RBAC but goes more granular: permissions in ABAC are based upon user attributes, not user roles. Attributes can be almost anything: specific characteristics of the user (e.g. job title or security clearance), attributes of the action being performed, or even "real-world" properties, such as the current time of day or the physical location of the data being accessed.
Both RBAC and ABAC take into account characteristics of the user. However, ABAC can take a greater amount of context into account, such as the action being performed and properties of the data or system the user is accessing, while RBAC only takes the user's role(s) into account. This makes ABAC more dynamic than RBAC, but also more complex to manage effectively.
Role-based access control is not the same thing as rule-based access control. Rule-based access control is built upon a set of rules, while role-based access control is based on the user. A rule-based controller will block certain actions, such as a port, an IP address, or a type of data input, no matter where the request comes from. Firewalls are often used to implement rule-based access control.
Cloudflare Access, part of the Cloudflare for Teams suite, empowers businesses to secure, authenticate, monitor, and allow or deny user access to any domain, application, or path on Cloudflare. Cloudflare Access quickly applies application-level user permissions to a business's internal resources, and it also keeps a log of all resources that users access.