# Implement role-based access control (RBAC)

# What is RBAC

Role-based access control (Role-based access control, referred to as RBAC), refers to the user's role (Role) to grant its related permissions, which achieves fine-grained access control, and provides a comparison to directly grant a single user Authority, a simpler and controllable management method.

When using RBAC, by analyzing the actual situation of system users, based on common responsibilities and needs, they are assigned to different roles. Then each user can be granted one or more roles, and each role has one or more permissions. This relationship between user-role and role-permission allows us to no longer need to manage separately For a single user, the user inherits the required permissions from the roles it has, which makes the user empowerment easier.

Take a scenario where all employees in a company have the permission to log in to the company’s mailbox. If RBAC is applied, all employees can be given the role of ​employee​, and the role of ​employee​ has the ​email:login​ permission, so that all employees are able to log in The permissions of the company mailbox. If an employee resigns, he only needs to move him out of the ​employee​ role, and does not need to individually revoke permissions. In essence, a role (Role) is a set of permissions (Permission). Using roles to add, delete, and adjust permissions is easier than assigning individual user permissions individually. When your user base continues to grow, roles will become especially useful.

When planning an access control strategy, the best practice is to give users the minimum permissions necessary to complete their work.

# Advantages of using RBAC

  • Systematic and repeatable authority assignment
  • It is more convenient to audit user permissions and quickly locate problems
  • Quickly add and modify roles, and even call API implementation
  • Reduce the possibility of errors when granting user permissions
  • When introducing third-party users/new users/unlogged users, give them pre-configured roles, such as ​guest​