LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

How does Role-Based Access Control (RBAC) work, and why is it better than direct user-to-rights assignment?

Users get assigned roles; roles get assigned rights. The role is an intermediate layer that decouples user identity from permissions.

The model:

Subject (user)  →  Role  →  Rights  →  Objects
   Fred         Administrator    Admin    Directory
   Tom          Engineer         View, Control    Status, Switching
   Mary         Operator         Control, Reporting, Read    All

Two assignments are maintained separately:

  • Subject-to-Role (dynamic — who has which job today)
  • Role-to-Right (more static — what an "Operator" is allowed to do)

Why this beats direct user-to-right assignment:

  • Joiners/leavers are easy: assign Mary the Operator role, all her permissions follow. Revoke the role when she leaves; all access dies at once.
  • Audits are easier: you review the small set of role definitions, not every user's individual permissions.
  • Consistency: five Operators all have identical rights — no drift over time.
  • Without RBAC: every time a user joins, you have to manually click in each system to add the right permissions, and the data drifts immediately.

Static vs dynamic roles:

  • Static: fixed by job — Administrator vs regular user.
  • Dynamic: acquired by context — strongly authenticated users get more functions than weakly authenticated; a user in the building sees different things than one over VPN.

Tip: Active Directory groups, AWS IAM roles, Kubernetes RBAC, GitHub team permissions — all are RBAC at heart.

From Quiz: ISF / Access Control | Updated: Jun 25, 2026