Skip to main content
Informationssicherheit / NIS2

Role-based access control

Role-based access control (RBAC) grants access rights not to individual people but to defined roles to which users are assigned, so that permissions are governed by a person's function within the organisation.

Role-based access control (RBAC) is an access-management approach in which permissions are tied not directly to individual user accounts but to abstract roles. A role bundles the rights required for a particular function or task, for example "accounting", "HR administration" or "system administration". Users gain access exclusively through the roles assigned to them. This decouples the granting and revocation of permissions from the individual person and instead aligns them with the organisational structure, which considerably simplifies administration in larger environments and keeps it traceable.

RBAC is a key instrument for implementing the principles of least privilege and need-to-know: each role should comprise only those rights actually necessary to perform the relevant task. Cleanly defined roles also support segregation of duties by ensuring that incompatible permissions, such as creating and approving a payment, do not fall within a single role. Across the employee lifecycle (joining, moving, leaving), permissions can be managed consistently simply by assigning or removing roles, which reduces the risk of orphaned or excessive rights.

In information security management systems, RBAC is a recognised standard mechanism for meeting access-control requirements. ISO/IEC 27001 requires, in its Annex A, an access and permission management aligned with business requirements, and the German BSI IT-Grundschutz addresses it in its module on identity and permission management (ORP.4). RBAC should be safeguarded by regular recertification (access reviews), a documented role concept and technical implementation in the identity and access management system, so that roles do not "drift" over time and the permission model remains auditable.

Legal Basis

ISO/IEC 27001:2022, Annex A 5.15, A 5.18, A 8.2, A 8.3; BSI IT-Grundschutz module ORP.4 (identity and permission management); Art. 21(2)(i) NIS 2 Directive (EU) 2022/2555

Practical Example

The information security officer of a mid-sized machinery manufacturer discovers during an internal audit that over the years dozens of employees have accumulated individually granted single permissions that no one can fully oversee any more. She introduces a role concept: for each department, roles with clearly defined permissions are modelled, existing single permissions are mapped onto roles and surplus rights are revoked. From then on, every new employee gains access exclusively through their role, and semi-annual recertifications confirm that each role still contains only the rights genuinely needed. When an employee changes department, the old role is removed and the new one assigned, so that no legacy rights remain.

FAQ

With direct granting, each user receives individual permissions, which quickly becomes unmanageable and error-prone in larger organisations. RBAC bundles rights into roles that match organisational functions; users are simply assigned roles. This greatly simplifies granting, revocation and traceability.
RBAC is a practical means of implementing least privilege: each role is scoped to contain only the rights necessary for the relevant task. For this to work, roles must be defined sparingly and recertified regularly to prevent gradual privilege creep.
ISO/IEC 27001 does not prescribe a specific technology but requires access control aligned with business requirements (Annex A 5.15, A 5.18). RBAC is a recognised and widely used mechanism that generally meets these requirements well and in an auditable way.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Access control Identity and access management Least privilege Need to know Privileged access management
Back to Glossary