← Glossary·Security

RBAC (Role-Based Access Control)

SOC 2ISO 27001HIPAA

Access control model granting permissions to roles, and assigning users to roles.

Role-Based Access Control (NIST SP 800-162 sibling) grants permissions to roles rather than individual users, and assigns users to roles based on job function. ABAC (Attribute-Based Access Control) adds dynamic, attribute-evaluated policies.

Why it matters
Without RBAC, you cannot evidence ‘access commensurate with job function’ — a core control in every framework. Ad-hoc per-user permissions also fail access reviews at scale.

Related terms

Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
SSO (Single Sign-On)
Federated authentication via SAML 2.0 or OIDC against a central identity provider (Okta, Entra ID, Google).
User Access Review
Periodic review by data owners confirming each user's access remains appropriate; typically quarterly.

Does your program actually cover RBAC (Role-Based Access Control)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary