RBAC — Explained with Examples

RBAC (Role-Based Access Control) is a security model that assigns permissions to roles, and users to roles, simplifying access management for large systems.

RBAC stands for Role-Based Access Control, defined by NIST in the 1990s. Instead of assigning permissions to every user individually, you create roles and assign users to those roles.

The RBAC Model

Users ──→ Roles ──→ Permissions
  │                   │
  v                   v
Alice ──→ Editor ──→ create:article, edit:article
  Bob ──→ Viewer ──→ read:article
 Carol ──→ Admin ──→ create, read, update, delete:*

Example: RBAC Implementation

const roles = {
  admin: {
    permissions: ['*']
  },
  editor: {
    permissions: ['article:create', 'article:edit', 'article:read']
  },
  viewer: {
    permissions: ['article:read']
  }
};

const users = {
  alice: { role: 'editor' },
  bob: { role: 'viewer' },
  carol: { role: 'admin' }
};

function checkPermission(username, action) {
  const user = users[username];
  if (!user) return false;
  const role = roles[user.role];
  return role.permissions.includes('*') || role.permissions.includes(action);
}

console.log(checkPermission('alice', 'article:create')); // true
console.log(checkPermission('bob', 'article:create'));   // false
console.log(checkPermission('carol', 'article:delete')); // true (admin has *)

Real-World Analogy

Think of a hospital. Instead of giving keys to every room to each person individually, the hospital assigns roles: Doctors get keys to all patient rooms and the pharmacy. Nurses get keys to patient rooms and supply closets. Janitors get keys to all rooms but not to medical records. When a new doctor joins, they just get the “doctor role” — no need to configure 50 individual door permissions.

Related Terms

Authentication vs Authorization, Zero Trust, Least Privilege, OAuth, LDAP