Loading pattern...

What is RBAC (Role-Based Access Control)?

RBAC (Role-Based Access Control) is a permission system where users are assigned roles (Admin, Editor, Viewer) and each role has specific permissions (can edit, can delete, can invite). Instead of setting permissions per user, you group permissions into roles and assign roles to users. Simplifies permission management for teams and multi-tenant apps.

When Should You Use This?

Use RBAC when building team collaboration tools, B2B SaaS with multiple users per account, or any app where different users need different access levels. Start simple (Owner, Member) and add roles as needed (Admin, Viewer, Billing). Don't over-engineer—most apps need 3-5 roles max. For complex enterprise needs, consider ABAC (Attribute-Based Access Control) or tools like Permit.io, Oso.

Common Mistakes to Avoid

  • Too many roles—start with 3 roles (Owner, Editor, Viewer), add more only when necessary
  • Not checking permissions on the backend—always validate roles server-side, never trust the frontend
  • Confusing roles with groups—roles define permissions, groups organize users (sales team, engineering team)
  • Hardcoding permissions—use a permission library or framework (Casbin, CASL, Permify)
  • Forgetting about invited users—handle pending invites, expired invites, role changes before user accepts

Real-World Examples

  • Notion—Workspace Owner, Full Member, Guest (different access to pages and settings)
  • GitHub—Repository roles: Admin, Write, Read (controls who can push, merge, view)
  • Figma—Owner, Editor, Viewer (determines who can edit files vs. just comment)
  • Slack—Workspace Owner, Admin, Member, Guest (controls channel creation, app installs, invites)

Category

Cybersecurity

Tags

rbacpermissionsrolesaccess-controlauthorizationsecurity

Permalink

Related Patterns

OAuth

Cybersecurity

JWT (JSON Web Token)

Cybersecurity

Zero Trust

Cybersecurity

← Back to Pattern Gallery