Role-based access control (RBAC)
Also called Role-based access – is an access control mechanism defined around roles and privileges. It is based on assigning roles to users and authorizing users in roles and permissions using constructs such as role-permissions, users-roles, and role-role relationships.
RBAC differs from access control lists (ACLs), used in traditional discretionary access-control systems, in that ACLs assign permissions to specific operations with meaning in the organization, rather than to low-level data objects. For example, an access control list could be used for granting or denying write access to a particular system file, but it would not dictate how that file could be changed. In an RBAC-based system, an operation might be to 'create a credit account' transaction in a financial application or to 'populate a blood sugar level test' record in a medical application. The assignment of permission to perform a particular operation is meaningful, because the operations are granular with meaning within the application. RBAC has been shown to be particularly well suited to separation of duties (SoD) requirements, which ensure that two or more people must be involved in authorizing critical operations.