Skip to content

What is Role Based Access Control?

Role Based Access Control – more commonly known as RBAC – is a widely used access control method that provides for restriction based on the Role assigned to a user. An RBAC model is typically utilized as a general purpose mechanism for defining the permissions required to enable access authorization.

Hi, I’m Peter Fernandez, an Innovator, Architect, Consultant, Engineer, and Principal Developer Advocate at Auth0 by Okta, and I’m here to tell you more about the Role Based Access Control functionality provided by Auth0.

What is a Role?

In the context of RBAC, a Role describes something that a user is part of – such as the Role a user is assigned as part of the organization they work for. In other words, RBAC refers to the assigning of permission(s) based on the more manageable idea of a Role – which may have more than one user as a member – rather than the frequently error prone approach of assigning permission(s) to users individually.

How can Roles be ascribed?

The paper entitled NIST Model for Role-Based Access Control: Towards a Unified Standard, defines four levels that are organized in sequence of increasing functional capabilities: Flat RBAC – where users are assigned to one or more roles and, by virtue, acquire the permission(s) belonging each; Hierarchical RBAC – which adds the dimension of role hierarchies; Constrained RBAC – which further adds the notion of enforcement by separation of duty; and Symmetric RBAC – which adds a requirement for the periodic review of role permission and user role assignment.

What is Role Explosion?

Role Explosion happens when the level of granularity needed for access control is too detailed; essentially, where multiple Roles need to be modelled in order to satisfy fine-grained access requirements. It’s one of the most common problems associated with RBAC, and – together with the complexities often encountered when translating enterprise organizational structures into an RBAC model – is considered to be one of the main drawbacks of using the RBAC approach.

How can Role Explosion be managed?

Arguably, Role Explosion is best managed by ascertaining the suitability of using an RBAC model in the first instance. Of course, that’s not always possible to do, and a seemingly simple set of access control requirements can easily get more complex over time. Having the ability to easily leverage an alternative model – such as ReBAC – either wholly or in part and without needing to make massive changes to your code, can offer an effective solution to the problem.

Build it yourself?

You could build support in-house, yourself. That’s true. Click on the image to read more about doing just that, and watch the recording of my related webinar here. If your team has the resources, time, capacity, knowledge, and expertise in developing SSO; deploying Attack Protection; leveraging OIDC and/or SAML for Authentication, Social and/or Enterprise Federation; implementing Passwordless and/or MFA, and/or (optionally) OAuth 2.0 for API Authorization – then it’s definitely an option. But what if there was a better way?

Role Based Access Control…

With Auth0, utilize a pre-built comprehensive mechanism for creating RBAC policies that can be leveraged in the applications and APIs you provide. Enabled by Auth0 Universal Login, easily define Roles and Permissions, whilst leveraging additional features for user authentication like SSO, Social, Enterprise Federation and MFA.

…straight out of the box

Whether you’re building for B2C, B2B, or some combination, Auth0 RBAC gives you complete control out-of-the-box. And via the Authentication API, you can build workflows for solutions that tackle the more complex use case scenarios – all whilst leveraging the full power of the platform at the same time.

Adapt with MFA

Employ Adaptive MFA to add additional authentication factor(s), using intelligent MFA that dynamically fits to customer behaviors. All whilst satisfying your business needs.

Flat Claims and Attributes

Add Flat RBAC permissions as custom Claims to the JWT format tokens used as part of Auth0’s support for OIDC and OAuth 2.0. Or as custom Attributes when using Auth0 SAML assertions.

Extensible by Design

 Customize identity flows with visual drag and drop Actions to build functionality that will address your unique requirements. For example, add additional capability with minimal effort to augment RBAC with ABAC (see here for more details) or even FGA.

Integrate with ease

With a variety of out-of-box options provided by a wide range of SDKs, you can build an initial integration with Auth0, written in any programming language and supporting any technology stack, in a matter of hours. Click on the image to visit the Auth0 SDK website and discover how to integrate with ease.

Read more about it on the Auth0 Blog

Read the Auth0 Blog, and follow the example provided to learn more about integrating Auth0 RBAC in your Ruby API.

Stay informed

Helpful Identity & Access Management articles that are timely and relevant, whatever your level of experience. Whether you prefer to learn by reading, listening, watching videos, cloning repos, copying code, or attending a workshop or conference: content is everywhere and made for developers like you. Click on the image to subscribe to the newsletter today!

Begin the journey…

Sign up here, and create a free Auth0 Tenant to begin your journey. Play with prototyping an integration of your existing code – or develop something new; experience the Okta Customer Identity Cloud, powered by Auth0, in a way that best suits you.

…or try a Demo.

If you’re looking for some inspiration, why not take a look at some of the pre-build demos at demo.okta.com – where you can test-drive sample integrations for both the Okta Customer Identity Cloud and the Okta Workforce Identity Cloud too!