Role-Based Access Control, or RBAC for short, is resource access-restricted based upon the user’s job title or role within an organization.

For example: you wouldn’t want John in accounting to have the same access privileges to your company’s infrastructure that Susie the engineer does.

RBAC makes it incredibly easy for a manager to designate what employees are granted permissions to perform certain operations on both a broad and finely-tuned, granular level.

The diagram below is a basic overview of RBAC:

Flow diagram of a basic Role Based Access Control SystemRBAC Pros

  • Granular visibility
  • Simplifies network security management
  • Access to only what users need, when they need it

Why Use RBAC?

    • Reduce employee downtime due to access issues
    • More efficient provisioning
    • Implementation of Identity & Access Management policies (make sure only the right people have access to the correct systems)

2 Examples of RBAC

  • Providing access to developers or engineers vs admins or sales people
  • Choosing who has more or less access in an educational institution setting, such as students and faculty. Students would get access to student-designated Wi-Fi® and the student drives, faculty would get higher level staff-specific access, plus access to what students have.


Additional knowledge on Role-Based Access Control


3 Primary Rules for RBAC:

  1. Role assignment: A user can exercise a permission only if the subject has been assigned a role.
  2. Role-based authorization: A user’s active role must be authorized. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
  3. Permission authorization: A user can make use of certain permissions only if the user is authorized to that specific permission, according to their role assignment in the role-based structure hierarchy. This rule specifies that 1 & 2 have been exercised.

RBAC Conventions






A person or automated agent



What the person does



An approval mode of access to a resource



Mapping involving S, E, and/or P


Subject Assignment



Permission Assignment



Role Hierarchy


Foxpass Offers RBAC Without the Hassle


Foxpass offers easy Role-Based Access Control at the click of a button using our Host Groups feature which restrict user or group SSH access to subsets of your hosts.

Host Groups can filter hosts by hostname, AWS Connection Name, AWS VPC ID, AWS Subnet ID, or AWS Tag:

How to filter hosts in an RBAC system?


Simplify your network security using RBAC and have your infrastructure secured in minutes, not weeks or months.