How do you create a Role-Based Access Control Matrix?
Build a grid with one row per role and one column per resource, then fill each cell with the actions that role may perform (C/R/U/D, or "-" for none) — including ownership scope like "own records only".
An Access Control Matrix is just a table that makes every "role × resource" decision explicit, so no combination is left undefined.
How to build one (general method):
- List every role in the system (down the left).
- List every resource / endpoint (across the top).
- In each cell, write the allowed actions — Create, Read, Update, Delete, or
-for no access. - Add ownership scope where it matters: "R (own)" means a role can only read its own records, not everyone's.
Worked example — a small online-banking app with three resources (/account/ for bank accounts, /news/ for public news articles, /transaction/ for money transfers) and four roles:
| Role | /account/ | /news/ | /transaction/ |
|---|---|---|---|
| User (a customer) | R (own) | R | R (own) |
| PR-Employee (publishes news) | - | CRUD | - |
| Client Advisor (manages assigned clients) | R | R | R (clients) |
| Public (not logged in) | - | R | - |
Reading the grid: a customer can read only their own account and transactions; a PR employee can fully manage news but touch no financial data; a client advisor can read the accounts/transactions of their assigned clients only; an anonymous visitor can read public news and nothing else. The "(own)" / "(clients)" notes are the crucial part — without an ownership check, "User can Read /account/" would let one customer read every customer's account.
Go deeper:
Access control matrix (Wikipedia) — the formal subject × object model this role × resource grid derives from.