WP What is Role-Based Access Control | RBAC vs ACL & ABAC | Imperva

Role-Based Access Control (RBAC)

Data SecurityEssentialsRegulation & Compliance

What is RBAC

Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users. Most large organizations use role-based access control to provide their employees with varying levels of access based on their roles and responsibilities. This protects sensitive data and ensures employees can only access information and perform actions they need to do their jobs.

An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks. An organization may let some individuals create or modify files while providing others with viewing permission only.

One role-based access control example is a set of permissions that allow users to read, edit, or delete articles in a writing application. There are two roles, a Writer and a Reader, and their respective permission levels are presented in this truth table. Using this table, you can assign permissions to each user.

Permission/Role Writer Reader
Edit Yes No
Delete Yes No
Read Yes Yes

In some cases, organizations will grant different levels of permission to distinct roles, or their permission levels may overlap. In the above example, one role (the reader) is a subset of another role which has more permissions (the writer).

Blog: Determining “Need to share vs. Need to know” is a Cornerstone of a Data Protection Strategy.

Types of Access Control: Complementary Control Mechanisms

Access control measures regulate who can view or use resources in a computing system, often relying on authentication or authorization based on log-in credentials. They are essential to minimizing business risks. Access control systems can be physical, limiting access to buildings, rooms, or servers, or they can be logical, controlling digital access to data, files, or networks.

Role Corporate Network Email CRM Customer DB Unix Employees info
User Yes Yes No No No No
IT System Admin Yes Yes Yes Yes Yes Yes
Developer Yes Yes No No Yes No
Sales Consultant No Yes Yes Yes No No
HR Yes Yes No No No Yes

Role-based access control can be complemented by other access control techniques. Examples of such types of access control include:

Discretionary Access Control (DAC)

The owner of a protected system or resource sets policies defining who can access it. DAC can involve physical or digital measures, and is less restrictive than other access control systems, as it offers individuals complete control over the resources they own. However, it is also less secure, because associated programs inherit security settings and allow malware to exploit them without the knowledge of the end-user. You can use RBAC to implement DAC.

Mandatory Access Control (MAC)

A central authority regulates access rights based on multiple levels of security. MAC involves assigning classifications to system resources and the security kernel or operating system. Only users or devices with the required information security clearance can access protected resources. Organizations with varying levels of data classification, like government and military institutions, typically use MAC to classify all end users. You can use role-based access control to implement MAC.

Types of Access Control: RBAC Alternatives

Other access control mechanisms could serve as alternatives to role-based access control.

Access Control List (ACL)

An access control list (ACL) is a table listing the permissions attached to computing resources. It tells the operating system which users can access an object, and which actions they can carry out. There is an entry for each user, which is linked to the security attributes of each object. ACL is commonly used for traditional DAC systems.


For most business applications, RBAC is superior to ACL in terms of security and administrative overhead. ACL is better suited for implementing security at the individual user level and for low-level data, while RBAC better serves a company-wide security system with an overseeing administrator. An ACL can, for example, grant write access to a specific file, but it cannot determine how a user might change the file.

Attribute-Based Access Control (ABAC)

ABAC evaluates a set of rules and policies to manage access rights according to specific attributes, such as environmental, system, object, or user information. It applies boolean logic to grant or deny access to users based on a complex evaluation of atomic or set-valued attributes and the relationship between them.

In practical terms, this allows you to write rules in eXtensible Access Control Markup Language (XACML), using key-value pairs like Role=Manager and Category=Financial.


While RBAC relies on pre-defined roles, ABAC is more dynamic and uses relation-based access control. You can use RBAC to determine access controls with broad strokes, while ABAC offers more granularity. For example, an RBAC system grants access to all managers, but an ABAC policy will only grant access to managers that are in the financial department. ABAC executes a more complex search, which requires more processing power and time, so you should only resort to ABAC when RBAC is insufficient.

Implementing Role-Based Access Control

Role-based access control allows organizations to improve their security posture and comply with security regulations. However, implementing role-based access control across an entire organization can be complex and may result in pushback from stakeholders. To succeed in your move to RBAC, you should treat the implementation process as a series of steps:

  • Understanding your business needs—before you move to RBAC, you should run a comprehensive needs analysis to examine job functions, supporting business processes and technologies. You should also consider any regulatory or audit requirements and assess the current security posture of your organization. You may also benefit from other types of access control.
  • Planning the scope of implementation—identify the scope of your RBAC requirements and plan the implementation to align with the organization’s needs. Narrow your scope to focus on systems or applications that store sensitive data. This will also help your organization manage the transition.
  • Defining roles—it will be easier to define your roles once you have performed the needs analysis and understand how individuals perform their tasks. Watch out for common role design pitfalls like excessive or insufficient granularity, role overlap, and granting too many exceptions for RBAC permissions.
  • Implementation—the final phase involves rolling out the RBAC. Do this in stages, to avoid an overwhelming workload and reduce disruption to the business. First, address a core group of users. Start with coarse-grained access control before increasing granularity. Collect feedback from users and monitor your environment to plan the next stages of implementation.

Blog: The 5-Question Test to Assess Your Readiness to Manage Insider Threats.

See how Imperva Data Protection can help you with role-based access control.

Role-Based Access Control with Imperva

Imperva enables precise control of user privileges using flexible role-based access controls. Users can be granted edit, view-only, or restricted access to specific objects and management functions. Organizations can also hierarchically manage and group IT assets into logical categories for fine-grained access control, even in large-scale enterprise and Managed Security Service Provider (MSSP) deployments.

Learn more about Imperva application security solutions, or see how we can help secure your data.