Security

What is role-based access control?

Role-based access control, or RBAC, is a way of deciding who can do what by attaching permissions to roles rather than to individual people. You define a role once, give it exactly the permissions that job needs, and then assign the role to whoever holds that job. It is the standard answer to keeping access sane and auditable as an organization grows.

Picture a company with two hundred people and forty tools. Someone in finance needs to see budgets but not the source code. A support agent needs to read customer records but not change payroll. An engineer needs to deploy but should never touch a signed contract. Now imagine granting each of those permissions by hand, person by person, tool by tool, and updating them every time someone changes teams. That is the mess RBAC was invented to end.

Role-based access control replaces the endless list of individual grants with a small set of well-defined roles. Instead of asking "what can this specific person do," you ask "what job does this person have," and the answer to that carries all the permissions with it. This post explains how RBAC works, why it makes access auditable in a way per-user grants never can, how it makes the principle of least privilege practical at scale, where a more flexible model called ABAC comes in, and how the same underlying principle shows up in how I built the assistant in wrxstack.

The three moving parts

RBAC has only three pieces, and once you see them the whole model becomes obvious. There are permissions, which are the specific things a person can do, such as view an invoice, edit a document, or delete a record. There are roles, which are named bundles of permissions that map to a real job, such as billing administrator or support agent. And there are the assignments, which connect a person to one or more roles.

The key move is that permissions never attach directly to a person. They attach to a role, and the person gets the role. A support agent does not carry a personal list of forty individual grants. They carry the support agent role, and that role holds the grants. When a new agent joins, you assign the role and they instantly have exactly the right access. When they leave the team, you remove the role and every one of those permissions goes with it, cleanly, in one action.

This indirection is the entire value. By putting a role between the person and the permission, you turn a chaotic web of individual grants into a small, stable set of definitions that you can actually reason about.

RBAC versus per-user permissions

The alternative to RBAC is granting permissions to each person one at a time, and it is worth seeing exactly why that falls apart, because most systems start there before they grow out of it.

QuestionPer-user permissionsRole-based access control
Onboarding a new hireGrant every permission by hand, one at a timeAssign one role that carries the right set
Someone changes teamsHunt down and edit scattered grantsSwap one role for another
Answering "who can do this?"Search every user's grants individuallyRead the role that holds the permission
Consistency across peopleDrifts as grants are copied and forgottenEveryone in a role has the identical set
Audit and reviewSlow, error-prone, easy to miss stale accessReview a handful of roles, not hundreds of users

The pattern is clear. Per-user permissions are fine for a handful of people and become unmanageable the moment you have real headcount and turnover. The grants drift, stale access piles up, and nobody can answer a simple question like "who can approve a refund" without a painful manual search. RBAC replaces all of that with a small number of definitions you can read at a glance.

Why RBAC makes access auditable

Auditability is the quiet superpower of RBAC, and it matters far more than convenience. An auditor, or you on a Friday afternoon, needs to answer two kinds of questions. What can this person do, and who can do this particular thing. Under per-user permissions both questions require crawling through every individual grant. Under RBAC both become easy.

To learn what a person can do, you read their roles. To learn who can perform a sensitive action, you find the roles that include that permission and list their members. Because permissions live in a small set of named roles rather than smeared across hundreds of accounts, the whole access picture is something a human can actually hold in their head and review on a schedule. Regular access reviews, where you confirm each role still has the right permissions and each person still belongs in their roles, become a short, honest exercise instead of an impossible one.

This is also what makes an audit log meaningful. When an action is recorded, knowing it was performed under the billing administrator role tells you something. It ties the event to a defined level of authority rather than to a tangle of individual grants nobody can interpret later.

How RBAC makes least privilege practical

The principle of least privilege says every person should have the minimum access needed to do their job and no more. It is easy to state and famously hard to live by, and I have written about how hard in least privilege in practice. The reason it is hard is usually mechanical. Granting exactly the right access to each person by hand is so tedious that people over-grant just to stop the requests, and access only ever accumulates.

RBAC is what turns least privilege from a slogan into something you can operate. You define each role to carry only the permissions its job genuinely needs, and then least privilege happens automatically every time you assign that role. You are not making a hundred careful decisions per person. You are making a careful decision once, per role, and reusing it. When a role has drifted too broad, you fix it in one place and everyone in it is corrected at once.

There is a deeper point here that I keep returning to, which is that access design and product design are the same problem. Deciding who can move a task, close a deal, or publish a document is a permissions question first and a feature question second. I made that argument in full in task management is really a permissions problem, and RBAC is one of the cleanest tools for answering it.

A brief word on ABAC

RBAC is not the only model, and it has a limit worth naming. Roles are coarse. They grant the same thing to everyone who holds them, which is exactly what you want most of the time and occasionally too blunt. Sometimes access should depend on context: the time of day, the location, the sensitivity of the specific record, or whether the person is in the same region as the customer.

Attribute-based access control, or ABAC, handles those cases by deciding access from a set of attributes about the user, the resource, and the situation, evaluated by rules at the moment of the request. It is more flexible than RBAC and also more complex to reason about, because the answer to "who can do this" now depends on conditions rather than a fixed list. In practice many systems use both, with roles carrying the bulk of the decisions and a few attribute-based rules layered on top for the cases that genuinely need context. For most organizations, well-designed roles cover the great majority of what they need, and reaching for ABAC everywhere adds complexity faster than it adds safety.

How the principle shows up in wrxstack

I want to be precise here, because precision is the brand. wrxstack does not ship a named RBAC product, and I am not going to dress up what it has as something it is not. What it does have is the principle that sits underneath RBAC, applied to the part of the product where it matters most: the assistant.

The assistant in Atlas can act on your work. It can reassign a task, draft and file a document, move a deal, or schedule a review. The rule that governs all of it is simple and strict. The assistant acts under the acting person's own permissions, never above them. It cannot see or change anything the person driving it could not see or change on their own. Anything consequential goes through an approval step, and actions are recorded in an audit log so you can see what was done and on whose authority. That is the least privilege idea, the same idea RBAC exists to serve, expressed as a hard boundary on what an AI is allowed to do on your behalf.

For access itself, wrxstack connects to the identity provider your organization already runs through standard single sign-on, so the identity your provider vouches for is the identity the product honors. What it does not do is replace your directory, offer its own directory synchronization, or sell you a role engine it does not have. Where the line is, I state plainly on the security page rather than implying more. The honest summary is that wrxstack is an AI work platform that respects the permissions you already have, not an access-control vendor.

Getting RBAC right

If you are designing roles, a few habits separate a clean system from one that rots. Keep the number of roles small enough to reason about, because a hundred near-identical roles is just per-user permissions wearing a costume. Name roles after jobs, not after individuals, so they stay stable as people come and go. Grant each role the least it needs and widen only when a real task demands it. And review roles on a schedule, because the world changes and access that was right last year is often too broad this year. Done that way, RBAC gives you the rare thing in security: a model that is both safer and easier than the alternative.

What does RBAC stand for?

Role-based access control. It is a model where permissions are attached to roles, and people are granted access by being assigned roles rather than by receiving individual permissions one at a time.

What is the difference between RBAC and ABAC?

RBAC grants access based on a person's roles, which are fixed bundles of permissions. ABAC, attribute-based access control, decides access from attributes and context at the moment of the request, such as time, location, or the sensitivity of a record. RBAC is simpler, ABAC is more flexible, and many systems combine the two.

Why is RBAC better than granting permissions per user?

Per-user grants drift, pile up, and make it nearly impossible to answer who can do what. RBAC keeps permissions in a small set of named roles, so onboarding, team changes, audits, and least privilege all become a matter of reading and assigning roles instead of hunting through hundreds of accounts.

Does wrxstack have RBAC?

wrxstack does not ship a named RBAC feature. It applies the principle underneath RBAC: its assistant acts only under the acting person's own permissions, with approvals for consequential actions and an audit log. It also connects to your existing identity provider through single sign-on rather than replacing your directory.

How many roles should an organization have?

Few enough to reason about. Roles should map to real jobs and stay stable as people change. If you find yourself creating a role per person, you have drifted back to per-user permissions and lost the benefit. Start with broad job-based roles and split them only when a genuine need appears.

F

Farhan

Farhan is the solo builder of wrxstack. He designs, writes, and ships Atlas and Portfolio on his own, and writes here about product, engineering, careers, and the craft of building software as one person.