A quick guide to Role-Based Access Control (RBAC) | Application security

Hi I run a tiny company called Valley Web. If you ever need WordPress, Python or general PHP work done (or maybe you just need someone to talk to) shoot me a message at valleyweb.co

A Role Based Access Control, henceforth RBAC, is a way of delegating and restricting access to certain actions in an application. In layman’s terms, it’s saying a user with the role “editor” can only do the actions that are granted to that role, most likely that would mean editing content and making changes to that user’s profile.

I often think of it as a pyramid, with the least broad spectrum of permissions and capabilities at the top and the most broad at the bottom. To get a better, more tangible look at what a role based permissions system might look like, we can look to WordPress.

An example of the prepackaged roles that come with every WordPress blog.

A WordPress blog comes with 5 predefined roles that each have different permissions.

• At the top of the pyramid is the Subscriber role, which can only edit their profile, that’s it — in the scope of a WordPress blog this is a good role for frequent commenters on the blog.
• Next comes the Contributor, which you can think of as the lowest level writer at a newspaper, they can write edit, and delete their own posts but not publish them. As we move down the pyramid, the roles snowball, so every permission the prior user had, the next one has.
• Thirdly an Author is a Contributor that can publish without the approval of an editor.
• Fourthly-y, the editor role is really where you have total control over the content on the site. The editor can create, edit, delete and publish posts. You are the editor at the newspaper (see below) :

• Last, at the base of the pyramid is the administrator. This role has complete control over the dashboard of a WordPress site, they can even edit the code of the site in a lot of instances.
• Not mentioned in WordPress but present in systems in a “superuser” or “system administrator”. Most of the time this will be a developer, they have control over the entire system, can make alterations to the database, the code and obviously the dashboard.

In summary, a RBAC allows a system administrator to delegate certain access and controls to certain users. They accomplish this by giving users roles, with those roles come permissions that allow or disallow a user to make changes to a system.

Thanks for reading, if you think it would be helpful for me to document the creation of my own RBAC then let me know in the comments or at zacbanas27@gmail.com