An Introduction to Role-Based Access Control (RBAC) and Its Models

1. RBAC Overview

RBAC (Role‑Based Access Control) is a widely used permission model that assigns permissions to roles rather than directly to users, simplifying the management of user access.

The model classifies users by roles, linking users to roles, roles to permissions, and permissions to resources, making authorization easier to maintain.

2. Origin of RBAC

Although concepts of roles and permissions appeared in the 1970s, a formal model was lacking until 1992 when Ferraiolo and Kuhn proposed a role‑based access control model to replace traditional MAC and DAC schemes.

In 1995, Ferraiolo, Cugini, and Kuhn extended the model, emphasizing that all access occurs through roles, which are essentially collections of permissions.

By 1996, Sandhu, Coyne, Feinstein, and Youman formalized RBAC and introduced four variants (RBAC0‑RBAC3) that refine the model.

Today, most IT vendors incorporate RBAC into their products, and it is also applied in sectors such as healthcare and defense.

3. Three Core Principles of RBAC

Least Privilege: Assign to each role only the minimal set of permissions needed to perform its tasks.

Separation of Duties: Use mutually exclusive roles to ensure tasks are divided among different responsibilities.

Data Abstraction: The level of data abstraction supported depends on the specific RBAC implementation.

4. RBAC Model Variants

Understanding the different RBAC models begins with their classification.

4.1 RBAC0

RBAC0 is the simplest core model, defining users, roles, and permissions; other variants build upon it.

In RBAC0, a user may have multiple roles, a role may have multiple permissions, and a user's effective permissions are the union of permissions of all assigned roles.

4.2 RBAC1

RBAC1 adds role hierarchy, allowing roles to inherit permissions from other roles.

Spring Security also supports role inheritance, as discussed in earlier articles.

4.3 RBAC2

RBAC2 extends RBAC0 by introducing static and dynamic separation of duties.

Static separation enforces constraints at configuration time (e.g., mutually exclusive roles), while dynamic separation enforces constraints at runtime (e.g., limiting the number of active roles per session).

4.4 RBAC3

RBAC3 combines the features of RBAC1 and RBAC2.

5. Extensions

Many permission models used in practice are extensions of RBAC, such as adding user groups that inherit both individual and group roles.

6. Summary

Understanding the RBAC model and its variants (RBAC0‑RBAC3) provides a solid foundation for implementing robust access control, especially when combined with Spring Security to build real‑world authorization solutions.