Role-based Access Control


Permission to perform an operation on an object is given to a role that is assigned to a subject.

The user of a website (subject) can only perform a selection of the actions (operations) possible in the website. Rather than giving the subject direct permission to an operation, which would involve a lot of work and careful thought, roles are defined that give access to a range of permissions. The user is then simply assigned a role (or a few roles).

Assigning roles to users, and assigning permissions to roles, are permissions on their own.

Role-based Access Control architecture diagram


  • Role: content editor, permissions: read, edit, delete, and publish articles

When should you use it?

  • If the application needs some form of non-trivial access restriction.
  1. Wikipedia