Role-Based Access Control
Table of Contents
Role-Based Access Control (RBAC) restricts system access to
authorised users based on their job roles, rather than individual
user permissions. By grouping permissions into roles (e.g. admin,
user), the project simplifies access management, enforces least
privilege, and lowers the blast radius of any one compromised
account. RBAC is the model that backs Identity and Access
Management in ORE Studio; the concrete role/permission entities and
their assignments live in ores.iam.core. Return to Knowledge.
Key Components of RBAC
- Roles: collections of permissions defining job functions (e.g., "Nurse", "Manager").
- Permissions: specific rights to view, create, or modify data.
- Users: individuals assigned one or more roles.
Core Principles
- Role-Based Assignment: users are assigned roles, and permissions are attached to those roles, not the user directly.
- Least Privilege: users receive only the minimum permissions necessary for their role.
- Separation of Duties (SoD): As described in IBM's research, SoD prevents conflicts of interest by requiring multiple people to complete high-risk tasks.
Benefits of RBAC
- Simplified Management: reduces the overhead of managing permissions for thousands of users.
- Increased Security: according to the Cloudflare write-up, it limits unauthorised access and reduces the risk of data leaks.
- Compliance: facilitates adherence to data-protection regulations.
See also
- Identity and Access Management — the security subsystem that applies this model.
- ores.iam.core — where the role/permission entities live.