System Design (HLD)Authorization Patterns

Authorization Patterns

LevelIntermediate

Duration75 mins

TopicAuthorization Patterns

2 / 5

Role-Based Access Control (RBAC)

The Universal Authorization Pattern

Open your operating system's user management. You'll find groups like "Administrators," "Users," and "Guests"—each with different capabilities. Log into your company's SaaS tools. You'll see roles like "Owner," "Admin," "Editor," and "Viewer." Examine any enterprise software. You'll encounter elaborately named roles like "Regional Sales Manager" or "Finance Approver Level 2."

This ubiquitous pattern is Role-Based Access Control (RBAC)—the most widely deployed authorization model in computing history. From Unix file permissions in the 1970s to modern cloud platforms, RBAC has proven remarkably durable because it maps naturally to how humans organize access: by job function, responsibility, and trust level.

Yet for all its popularity, RBAC is frequently misunderstood, poorly implemented, and used in situations where it creates more problems than it solves. This page provides a rigorous exploration of RBAC: its theoretical foundations, practical implementation, operational challenges, and the critical limitations that drive organizations toward more sophisticated models.

What You Will Learn

By the end of this page, you will understand the formal RBAC model and its variants, know how to design effective role hierarchies, implement RBAC at scale in distributed systems, recognize the limitations and anti-patterns, and make informed decisions about when RBAC is (and isn't) the right choice.

The Formal RBAC Model

Role-Based Access Control was formalized by David Ferraiolo and Richard Kuhn at NIST in 1992, with a comprehensive standard (NIST RBAC) published in 2004. The model provides a structured way to manage permissions through an intermediate abstraction: the role.

The Core RBAC Concept:

Instead of assigning permissions directly to users, RBAC introduces roles as collections of permissions. Users are then assigned to roles. This indirection dramatically simplifies permission management:

Direct Assignment:    User → Permission (N users × M permissions = N×M assignments)
RBAC:                 User → Role → Permission (N users × R roles + R roles × M permissions)

For large organizations, this reduction is significant. Consider 10,000 users and 1,000 permissions:

Direct assignment: up to 10,000,000 potential assignments
RBAC with 50 roles: up to 500,000 + 50,000 = 550,000 potential assignments

This 18x reduction in assignment complexity translates directly to reduced administrative burden, fewer errors, and easier auditing.

NIST RBAC Reference Model:

The NIST standard defines four RBAC models of increasing sophistication:

RBAC₀ (Flat RBAC) — The base model with users, roles, permissions, and sessions. No role hierarchy. Users can activate multiple roles simultaneously.

RBAC₁ (Hierarchical RBAC) — Adds role hierarchies where senior roles inherit permissions from junior roles. Example: "Manager" inherits all permissions of "Employee."

RBAC₂ (Constrained RBAC) — Adds constraints like separation of duties. Example: No user can have both "Purchase Requester" and "Purchase Approver" roles.

RBAC₃ (Symmetric RBAC) — Combines hierarchical and constrained RBAC. The most complete model but also the most complex to implement.

NIST RBAC Model Comparison
Model	Features	Complexity	Use Case
RBAC₀ (Flat)	Users, Roles, Permissions, Sessions	Low	Simple applications, small teams
RBAC₁ (Hierarchical)	Role inheritance	Medium	Organizations with clear hierarchies
RBAC₂ (Constrained)	Separation of duties, cardinality limits	Medium-High	Regulated industries, financial systems
RBAC₃ (Symmetric)	Full model with all features	High	Enterprise systems, complex compliance

Start Simple

Most applications need only RBAC₀ or RBAC₁. Implementing the full NIST RBAC₃ model adds significant complexity that is rarely justified outside heavily regulated environments. Choose the simplest model that meets your requirements.

Core RBAC Components

Understanding RBAC requires precise definitions of its constituent elements. Each component plays a specific role in the authorization model.

RBAC Components Defined

•Users — Entities that access the system. In RBAC, users are typically humans, but can include service accounts or applications. Each user has a unique identifier and can be assigned to multiple roles.
•Roles — Named collections of permissions that reflect job functions or responsibilities. Roles are the central abstraction in RBAC. Examples: 'Editor', 'Billing Admin', 'Data Scientist', 'Incident Commander'.
•Permissions — Approvals to perform specific operations on specific resources. Permissions are typically expressed as (operation, object) pairs: 'read:documents', 'write:reports', 'delete:users'.
•Sessions — Represent a user's active engagement with the system. A session maps a user to a subset of their assigned roles (role activation). Users may choose not to activate all their roles to follow least privilege.
•User-Role Assignment (UA) — The mapping from users to roles. A user can have multiple roles, and a role can be assigned to multiple users. This is typically a many-to-many relationship.
•Permission-Role Assignment (PA) — The mapping from permissions to roles. A role bundles multiple permissions, and a permission can belong to multiple roles. Also a many-to-many relationship.

Visual Representation:

┌─────────────┐      ┌─────────────┐      ┌─────────────────┐
│   USERS     │──UA──│    ROLES    │──PA──│   PERMISSIONS   │
├─────────────┤      ├─────────────┤      ├─────────────────┤
│ alice       │      │ admin       │      │ users:create    │
│ bob         │      │ editor      │      │ users:delete    │
│ charlie     │      │ viewer      │      │ posts:write     │
│ diana       │      │ billing     │      │ posts:read      │
└─────────────┘      └─────────────┘      │ billing:view    │
                                          │ billing:manage  │
                                          └─────────────────┘

Example Assignment:

Alice → {admin, editor} → {all permissions}
Bob → {editor} → {posts:write, posts:read}
Charlie → {viewer} → {posts:read}
Diana → {billing} → {billing:view, billing:manage}

Permission Naming Conventions

Adopt a consistent permission naming convention like 'resource:action' (posts:write) or 'resource.action' (posts.write). Some systems use reverse notation 'action:resource' (write:posts). Consistency matters more than the specific format chosen.

Role Hierarchies and Inheritance

Role hierarchies (RBAC₁) introduce inheritance relationships between roles. A senior role automatically includes all permissions of its junior roles, reducing redundancy and reflecting organizational structures.

Types of Role Hierarchies:

Tree Hierarchy (General)

•Roles form a tree structure
•Each role has at most one parent
•Simple inheritance model
•Easy to reason about
•Example: Employee → Manager → Director → VP → CEO

DAG Hierarchy (Limited)

•Roles form a directed acyclic graph
•A role can inherit from multiple parents
•More flexible but complex
•Harder to audit and understand
•Example: TechLead inherits from both Developer and Manager

Hierarchy Example:

                    ┌─────────────┐
                    │   Admin     │ (all permissions)
                    └──────┬──────┘
                           │
              ┌────────────┼────────────┐
              ▼            ▼            ▼
       ┌──────────┐  ┌──────────┐  ┌──────────┐
       │ Content  │  │ Billing  │  │  User    │
       │  Admin   │  │  Admin   │  │  Admin   │
       └────┬─────┘  └────┬─────┘  └────┬─────┘
            │             │             │
            ▼             ▼             ▼
       ┌──────────┐  ┌──────────┐  ┌──────────┐
       │  Editor  │  │ Billing  │  │  User    │
       │          │  │  Viewer  │  │  Viewer  │
       └────┬─────┘  └──────────┘  └──────────┘
            │
            ▼
       ┌──────────┐
       │  Viewer  │ (base role)
       └──────────┘

In this hierarchy:

Admin inherits all permissions from all subordinate roles
ContentAdmin inherits Editor, which inherits Viewer
BillingAdmin and UserAdmin are independent branches

Implementation Considerations:

Static vs. Dynamic Resolution:

Static: Flatten hierarchy at assignment time. User gets all inherited permissions stored explicitly.
Dynamic: Resolve hierarchy at query time. More flexible but adds query complexity.

Most systems use static resolution for performance, with periodic recalculation when roles change.

Hierarchy Depth Limits:

Deep hierarchies (>5 levels) become difficult to reason about and audit. They also increase the computational cost of permission resolution. Limit hierarchy depth and prefer wider, shallower structures.

Cycle Detection:

Role hierarchies must be acyclic (no circular inheritance). Implement cycle detection when role relationships are modified to prevent infinite loops during permission resolution.

The Hierarchy Trap

Don't map your org chart directly to role hierarchy. Organizational reporting lines rarely align with permission requirements. A CEO doesn't need all the technical permissions of every engineer. Design role hierarchies around permission commonality, not organizational structure.

Implementing RBAC at Scale

Implementing RBAC in production systems requires careful attention to data modeling, query efficiency, and caching strategies. Let's examine practical implementation patterns.

Data Model:

A typical relational RBAC schema:

-- Core entities
CREATE TABLE users (
    id UUID PRIMARY KEY,
    email VARCHAR(255) UNIQUE NOT NULL
);

CREATE TABLE roles (
    id UUID PRIMARY KEY,
    name VARCHAR(100) UNIQUE NOT NULL,
    parent_role_id UUID REFERENCES roles(id)  -- For hierarchy
);

CREATE TABLE permissions (
    id UUID PRIMARY KEY,
    resource VARCHAR(100) NOT NULL,
    action VARCHAR(50) NOT NULL,
    UNIQUE(resource, action)
);

-- Assignment tables (many-to-many)
CREATE TABLE user_roles (
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    PRIMARY KEY (user_id, role_id)
);

CREATE TABLE role_permissions (
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    permission_id UUID REFERENCES permissions(id) ON DELETE CASCADE,
    PRIMARY KEY (role_id, permission_id)
);

-- Indexes for common queries
CREATE INDEX idx_user_roles_user ON user_roles(user_id);
CREATE INDEX idx_role_permissions_role ON role_permissions(role_id);

Permission Check Query:

The fundamental RBAC query: Does user X have permission to perform action A on resource R?

SELECT EXISTS (
    SELECT 1
    FROM user_roles ur
    JOIN role_permissions rp ON ur.role_id = rp.role_id
    JOIN permissions p ON rp.permission_id = p.id
    WHERE ur.user_id = :user_id
      AND p.resource = :resource
      AND p.action = :action
) AS has_permission;

With role hierarchy (using recursive CTE):

WITH RECURSIVE role_tree AS (
    -- Base: user's directly assigned roles
    SELECT r.id, r.parent_role_id
    FROM roles r
    JOIN user_roles ur ON r.id = ur.role_id
    WHERE ur.user_id = :user_id
    
    UNION ALL
    
    -- Recursive: child roles that inherit from parent
    SELECT r.id, r.parent_role_id
    FROM roles r
    JOIN role_tree rt ON r.id = rt.parent_role_id
)
SELECT EXISTS (
    SELECT 1
    FROM role_tree rt
    JOIN role_permissions rp ON rt.id = rp.role_id
    JOIN permissions p ON rp.permission_id = p.id
    WHERE p.resource = :resource AND p.action = :action
) AS has_permission;

Caching Strategies:

Direct database queries for every permission check don't scale. Implement multi-layer caching:

Layer 1: Request-scoped cache

Cache resolved permissions for the duration of a single request
User's full permission set is resolved once, reused for all checks
No invalidation concerns within request scope

Layer 2: Session/token cache

Embed permission data in JWT claims or session storage
Permissions resolved at login, valid for token lifetime
Risk: stale permissions until token refresh

Layer 3: Distributed cache (Redis/Memcached)

User permission sets cached with TTL
Shared across service instances
Challenge: cache invalidation on role changes

Invalidation Strategies:

TTL-based: Simple but allows stale data window
Event-driven: Publish role changes, invalidate affected user caches
Versioning: Store version with cache, increment on changes

Permission Precomputation

For read-heavy systems, precompute and materialize the full user → permissions mapping. Store as a denormalized table or cache. Trade storage for query performance. Rebuild incrementally when roles/assignments change.

RBAC in Microservices Architectures

Implementing RBAC across microservices introduces additional challenges around propagation, consistency, and service-specific permissions. Several patterns have emerged to address these challenges.

RBAC Microservices Patterns
Pattern	Description	Pros	Cons
Token-Embedded Roles	Include role/permission claims in JWT	Stateless, no service-to-service auth calls	Token bloat, stale permissions until expiry
Central Auth Service	Dedicated service for permission checks	Single source of truth, easy updates	Network latency, single point of failure
Sidecar Authorization	Each service has authorization sidecar	Consistent enforcement, local caching	Operational complexity, resource overhead
Policy Sync	Policies pushed to each service	Local enforcement, offline capability	Sync delays, storage at each service

Token-Embedded Roles Pattern (Most Common):

{
  "sub": "user-123",
  "email": "alice@example.com",
  "roles": ["editor", "billing_viewer"],
  "permissions": ["posts:write", "posts:read", "billing:view"],
  "exp": 1704672000
}

Advantages:

Services validate locally without network calls
Scales infinitely—no central bottleneck
Works offline or with network partitions

Challenges:

Permission changes require token refresh/reissue
Token size grows with permissions (JWT overhead)
Can't revoke permissions instantly

Mitigation:

Use short-lived access tokens (5-15 minutes)
Implement token refresh with permission revalidation
For critical operations, perform real-time permission check

Service-Specific Role Mapping:

In microservices, a global role like "Editor" might mean different things to different services:

Content Service: Editor can create/update posts
User Service: Editor can view user profiles
Billing Service: Editor has no access

Two approaches:

1. Centralized permission expansion: Map global roles to service-specific permissions centrally. Include expanded permissions in tokens.

2. Service-local role interpretation: Services receive role names and interpret them locally. Each service maintains its own role→permission mapping.

The second approach offers more flexibility but requires coordination to ensure consistent role semantics.

Principle of Least Privilege in Tokens

Consider issuing tokens with scoped permissions for specific operations rather than full user permissions. A token for viewing a dashboard doesn't need write permissions. Audience-restricted tokens reduce blast radius if compromised.

RBAC Constraints: Separation of Duties

RBAC₂ introduces constraints that limit role assignments to enforce security policies. The most important is Separation of Duties (SoD)—preventing conflicts of interest by ensuring no single user can complete a sensitive process alone.

Types of Separation of Duties:

Static Separation of Duties (SSoD)

•Enforced at role assignment time
•User cannot be assigned conflicting roles
•Simpler to implement and audit
•Can be overly restrictive
•Example: Can't have both Requester and Approver roles

Dynamic Separation of Duties (DSoD)

•Enforced at role activation time
•User can have conflicting roles but not activate both
•More flexible for users
•More complex to implement
•Example: Can have both roles but must choose one per session

Real-World SoD Examples:

Financial Controls:

Purchase Requester ⊗ Purchase Approver (no self-approval)
Journal Entry Creator ⊗ Journal Entry Poster (dual control)
Payment Initiator ⊗ Payment Releaser (fraud prevention)

IT Security:

Developer ⊗ Production Deployer (environment separation)
Access Requester ⊗ Access Approver (privilege control)
Audit Log Viewer ⊗ Audit Log Modifier (audit integrity)

Implementation:

def check_sod_violations(user_id: str, new_role: str) -> List[str]:
    """Return list of conflicting roles if SSoD would be violated."""
    current_roles = get_user_roles(user_id)
    conflicts = SOD_MATRIX.get(new_role, [])
    return [r for r in current_roles if r in conflicts]

def assign_role(user_id: str, role: str):
    violations = check_sod_violations(user_id, role)
    if violations:
        raise SoDViolationError(
            f"Cannot assign '{role}' - conflicts with: {violations}"
        )
    create_role_assignment(user_id, role)

Other RBAC Constraints:

Cardinality Constraints:

Maximum users per role (e.g., only 3 users can be SuperAdmin)
Maximum roles per user (prevent role accumulation)
Maximum permissions per role (prevent super-roles)

Prerequisite Roles:

Must have Role A before being assigned Role B
Creates role progression paths (Junior → Senior → Lead)

Time-Based Constraints:

Role assignments valid only during certain hours
Roles expire after a period (temporary elevated access)
Role activation requires approval if outside normal hours

SoD Bypass Risk

Separation of duties can be bypassed through collusion (two users cooperating) or by assigning excessive permissions to a single role. SoD reduces risk but doesn't eliminate it. Complement with audit logging and anomaly detection.

RBAC Limitations and Anti-Patterns

Despite its popularity, RBAC has fundamental limitations that become apparent as systems grow in complexity. Understanding these limitations helps identify when alternative authorization models are more appropriate.

Fundamental RBAC Limitations

•Role Explosion — As systems grow, the number of roles proliferates to cover every combination of access needs. Having hundreds or thousands of roles defeats the simplicity benefit. Google reportedly had over 380,000 roles before moving to a different model.
•No Instance-Level Control — RBAC grants access to resource types, not resource instances. An 'Editor' can edit all documents, not just their own. Adding instance-level control requires augmenting RBAC with other mechanisms.
•No Context Awareness — Pure RBAC doesn't consider context like time of day, location, risk score, or resource state. 'Admin' has the same permissions at 3 AM from an unusual IP as during normal business hours.
•Static Nature — Role assignments are typically static, not responding to changing conditions. Emergency access, temporary privileges, and dynamic risk require additional mechanisms.
•Poor Multi-Tenancy Fit — RBAC doesn't naturally handle multi-tenant scenarios where the same role means different things in different tenants, or where cross-tenant access is needed.
•Relationship Blindness — RBAC can't express permissions based on relationships: 'managers can view their direct reports' data' requires knowing the management relationship, not just the role.

Common RBAC Anti-Patterns:

RBAC Anti-Patterns to Avoid
Anti-Pattern	Problem	Better Approach
User-Named Roles	Creating 'AliceRole' for unique access needs	Use ABAC for per-user rules or permission groups
Permission-per-Role	Each role has exactly one permission	Use direct permission assignment instead
God Role	Single 'SuperAdmin' role with all permissions	Separate admin functions into specific roles
Hierarchical Org Mapping	Role hierarchy mirrors org chart	Design roles around permission patterns
Role Accumulation	Users collect roles over time, never lose them	Implement regular access reviews, role expiry
Implicit Denial Bypass	Granting permissions to bypass checks	Fix the underlying authorization logic

When to Move Beyond RBAC

Consider augmenting or replacing RBAC when: you have more than ~100-200 roles, you need instance-level access control, permissions depend on relationships between entities, context-aware authorization is required, or you're experiencing significant role management overhead.

Summary: Role-Based Access Control

We've completed a thorough exploration of Role-Based Access Control—its theoretical foundations, practical implementation, and real-world limitations. Let's consolidate the key insights:

Key Takeaways

•RBAC uses roles as indirection — Users are assigned roles; roles contain permissions. This reduces permission management complexity significantly for organizations of any size.
•NIST defines four RBAC models — From flat (RBAC₀) to symmetric (RBAC₃), choose the simplest model that meets your requirements. Most applications need only RBAC₀ or RBAC₁.
•Role hierarchies reflect permission inheritance — Senior roles inherit from junior roles. Keep hierarchies shallow and based on permission patterns, not org charts.
•Implementation requires careful caching — Database queries for every permission check don't scale. Use multi-layer caching with appropriate invalidation strategies.
•Constraints enable security policies — Separation of duties, cardinality limits, and prerequisite roles enforce organizational security requirements.
•RBAC has fundamental limitations — Role explosion, no instance-level control, lack of context awareness, and relationship blindness drive organizations toward ABAC and ReBAC.

What's Next:

RBAC's limitations with instance-level and context-aware authorization lead us to Attribute-Based Access Control (ABAC). The next page explores ABAC's policy-driven approach, where authorization decisions are based on attributes of subjects, resources, actions, and context—enabling far more expressive and dynamic access control than RBAC alone.

Page Complete

You now have a comprehensive understanding of RBAC—its model, components, implementation strategies, constraints, and limitations. You can design and implement RBAC systems effectively, and recognize when more sophisticated authorization models are needed.

2 / 5

Loading learning content...

System Design (HLD)Authorization Patterns

Authorization Patterns

LevelIntermediate

Duration75 mins

TopicAuthorization Patterns

2 / 5

Role-Based Access Control (RBAC)

The Universal Authorization Pattern

What You Will Learn

The Formal RBAC Model

The Core RBAC Concept:

Direct Assignment:    User → Permission (N users × M permissions = N×M assignments)
RBAC:                 User → Role → Permission (N users × R roles + R roles × M permissions)

For large organizations, this reduction is significant. Consider 10,000 users and 1,000 permissions:

Direct assignment: up to 10,000,000 potential assignments
RBAC with 50 roles: up to 500,000 + 50,000 = 550,000 potential assignments

This 18x reduction in assignment complexity translates directly to reduced administrative burden, fewer errors, and easier auditing.

NIST RBAC Reference Model:

The NIST standard defines four RBAC models of increasing sophistication:

RBAC₀ (Flat RBAC) — The base model with users, roles, permissions, and sessions. No role hierarchy. Users can activate multiple roles simultaneously.

RBAC₁ (Hierarchical RBAC) — Adds role hierarchies where senior roles inherit permissions from junior roles. Example: "Manager" inherits all permissions of "Employee."

RBAC₂ (Constrained RBAC) — Adds constraints like separation of duties. Example: No user can have both "Purchase Requester" and "Purchase Approver" roles.

RBAC₃ (Symmetric RBAC) — Combines hierarchical and constrained RBAC. The most complete model but also the most complex to implement.

NIST RBAC Model Comparison
Model	Features	Complexity	Use Case
RBAC₀ (Flat)	Users, Roles, Permissions, Sessions	Low	Simple applications, small teams
RBAC₁ (Hierarchical)	Role inheritance	Medium	Organizations with clear hierarchies
RBAC₂ (Constrained)	Separation of duties, cardinality limits	Medium-High	Regulated industries, financial systems
RBAC₃ (Symmetric)	Full model with all features	High	Enterprise systems, complex compliance

Start Simple

Core RBAC Components

Understanding RBAC requires precise definitions of its constituent elements. Each component plays a specific role in the authorization model.

RBAC Components Defined

•Users — Entities that access the system. In RBAC, users are typically humans, but can include service accounts or applications. Each user has a unique identifier and can be assigned to multiple roles.
•Roles — Named collections of permissions that reflect job functions or responsibilities. Roles are the central abstraction in RBAC. Examples: 'Editor', 'Billing Admin', 'Data Scientist', 'Incident Commander'.
•Permissions — Approvals to perform specific operations on specific resources. Permissions are typically expressed as (operation, object) pairs: 'read:documents', 'write:reports', 'delete:users'.
•Sessions — Represent a user's active engagement with the system. A session maps a user to a subset of their assigned roles (role activation). Users may choose not to activate all their roles to follow least privilege.
•User-Role Assignment (UA) — The mapping from users to roles. A user can have multiple roles, and a role can be assigned to multiple users. This is typically a many-to-many relationship.
•Permission-Role Assignment (PA) — The mapping from permissions to roles. A role bundles multiple permissions, and a permission can belong to multiple roles. Also a many-to-many relationship.

Visual Representation:

┌─────────────┐      ┌─────────────┐      ┌─────────────────┐
│   USERS     │──UA──│    ROLES    │──PA──│   PERMISSIONS   │
├─────────────┤      ├─────────────┤      ├─────────────────┤
│ alice       │      │ admin       │      │ users:create    │
│ bob         │      │ editor      │      │ users:delete    │
│ charlie     │      │ viewer      │      │ posts:write     │
│ diana       │      │ billing     │      │ posts:read      │
└─────────────┘      └─────────────┘      │ billing:view    │
                                          │ billing:manage  │
                                          └─────────────────┘

Example Assignment:

Alice → {admin, editor} → {all permissions}
Bob → {editor} → {posts:write, posts:read}
Charlie → {viewer} → {posts:read}
Diana → {billing} → {billing:view, billing:manage}

Permission Naming Conventions

Role Hierarchies and Inheritance

Types of Role Hierarchies:

Tree Hierarchy (General)

•Roles form a tree structure
•Each role has at most one parent
•Simple inheritance model
•Easy to reason about
•Example: Employee → Manager → Director → VP → CEO

DAG Hierarchy (Limited)

•Roles form a directed acyclic graph
•A role can inherit from multiple parents
•More flexible but complex
•Harder to audit and understand
•Example: TechLead inherits from both Developer and Manager

Hierarchy Example:

                    ┌─────────────┐
                    │   Admin     │ (all permissions)
                    └──────┬──────┘
                           │
              ┌────────────┼────────────┐
              ▼            ▼            ▼
       ┌──────────┐  ┌──────────┐  ┌──────────┐
       │ Content  │  │ Billing  │  │  User    │
       │  Admin   │  │  Admin   │  │  Admin   │
       └────┬─────┘  └────┬─────┘  └────┬─────┘
            │             │             │
            ▼             ▼             ▼
       ┌──────────┐  ┌──────────┐  ┌──────────┐
       │  Editor  │  │ Billing  │  │  User    │
       │          │  │  Viewer  │  │  Viewer  │
       └────┬─────┘  └──────────┘  └──────────┘
            │
            ▼
       ┌──────────┐
       │  Viewer  │ (base role)
       └──────────┘

In this hierarchy:

Admin inherits all permissions from all subordinate roles
ContentAdmin inherits Editor, which inherits Viewer
BillingAdmin and UserAdmin are independent branches

Implementation Considerations:

Static vs. Dynamic Resolution:

Static: Flatten hierarchy at assignment time. User gets all inherited permissions stored explicitly.
Dynamic: Resolve hierarchy at query time. More flexible but adds query complexity.

Most systems use static resolution for performance, with periodic recalculation when roles change.

Hierarchy Depth Limits:

Cycle Detection:

Role hierarchies must be acyclic (no circular inheritance). Implement cycle detection when role relationships are modified to prevent infinite loops during permission resolution.

The Hierarchy Trap

Implementing RBAC at Scale

Implementing RBAC in production systems requires careful attention to data modeling, query efficiency, and caching strategies. Let's examine practical implementation patterns.

Data Model:

A typical relational RBAC schema:

-- Core entities
CREATE TABLE users (
    id UUID PRIMARY KEY,
    email VARCHAR(255) UNIQUE NOT NULL
);

CREATE TABLE roles (
    id UUID PRIMARY KEY,
    name VARCHAR(100) UNIQUE NOT NULL,
    parent_role_id UUID REFERENCES roles(id)  -- For hierarchy
);

CREATE TABLE permissions (
    id UUID PRIMARY KEY,
    resource VARCHAR(100) NOT NULL,
    action VARCHAR(50) NOT NULL,
    UNIQUE(resource, action)
);

-- Assignment tables (many-to-many)
CREATE TABLE user_roles (
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    PRIMARY KEY (user_id, role_id)
);

CREATE TABLE role_permissions (
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    permission_id UUID REFERENCES permissions(id) ON DELETE CASCADE,
    PRIMARY KEY (role_id, permission_id)
);

-- Indexes for common queries
CREATE INDEX idx_user_roles_user ON user_roles(user_id);
CREATE INDEX idx_role_permissions_role ON role_permissions(role_id);

Permission Check Query:

The fundamental RBAC query: Does user X have permission to perform action A on resource R?

SELECT EXISTS (
    SELECT 1
    FROM user_roles ur
    JOIN role_permissions rp ON ur.role_id = rp.role_id
    JOIN permissions p ON rp.permission_id = p.id
    WHERE ur.user_id = :user_id
      AND p.resource = :resource
      AND p.action = :action
) AS has_permission;

With role hierarchy (using recursive CTE):

WITH RECURSIVE role_tree AS (
    -- Base: user's directly assigned roles
    SELECT r.id, r.parent_role_id
    FROM roles r
    JOIN user_roles ur ON r.id = ur.role_id
    WHERE ur.user_id = :user_id
    
    UNION ALL
    
    -- Recursive: child roles that inherit from parent
    SELECT r.id, r.parent_role_id
    FROM roles r
    JOIN role_tree rt ON r.id = rt.parent_role_id
)
SELECT EXISTS (
    SELECT 1
    FROM role_tree rt
    JOIN role_permissions rp ON rt.id = rp.role_id
    JOIN permissions p ON rp.permission_id = p.id
    WHERE p.resource = :resource AND p.action = :action
) AS has_permission;

Caching Strategies:

Direct database queries for every permission check don't scale. Implement multi-layer caching:

Layer 1: Request-scoped cache

Cache resolved permissions for the duration of a single request
User's full permission set is resolved once, reused for all checks
No invalidation concerns within request scope

Layer 2: Session/token cache

Embed permission data in JWT claims or session storage
Permissions resolved at login, valid for token lifetime
Risk: stale permissions until token refresh

Layer 3: Distributed cache (Redis/Memcached)

User permission sets cached with TTL
Shared across service instances
Challenge: cache invalidation on role changes

Invalidation Strategies:

TTL-based: Simple but allows stale data window
Event-driven: Publish role changes, invalidate affected user caches
Versioning: Store version with cache, increment on changes

Permission Precomputation

RBAC in Microservices Architectures

Implementing RBAC across microservices introduces additional challenges around propagation, consistency, and service-specific permissions. Several patterns have emerged to address these challenges.

RBAC Microservices Patterns
Pattern	Description	Pros	Cons
Token-Embedded Roles	Include role/permission claims in JWT	Stateless, no service-to-service auth calls	Token bloat, stale permissions until expiry
Central Auth Service	Dedicated service for permission checks	Single source of truth, easy updates	Network latency, single point of failure
Sidecar Authorization	Each service has authorization sidecar	Consistent enforcement, local caching	Operational complexity, resource overhead
Policy Sync	Policies pushed to each service	Local enforcement, offline capability	Sync delays, storage at each service

Token-Embedded Roles Pattern (Most Common):

{
  "sub": "user-123",
  "email": "alice@example.com",
  "roles": ["editor", "billing_viewer"],
  "permissions": ["posts:write", "posts:read", "billing:view"],
  "exp": 1704672000
}

Advantages:

Services validate locally without network calls
Scales infinitely—no central bottleneck
Works offline or with network partitions

Challenges:

Permission changes require token refresh/reissue
Token size grows with permissions (JWT overhead)
Can't revoke permissions instantly

Mitigation:

Use short-lived access tokens (5-15 minutes)
Implement token refresh with permission revalidation
For critical operations, perform real-time permission check

Service-Specific Role Mapping:

In microservices, a global role like "Editor" might mean different things to different services:

Content Service: Editor can create/update posts
User Service: Editor can view user profiles
Billing Service: Editor has no access

Two approaches:

1. Centralized permission expansion: Map global roles to service-specific permissions centrally. Include expanded permissions in tokens.

2. Service-local role interpretation: Services receive role names and interpret them locally. Each service maintains its own role→permission mapping.

The second approach offers more flexibility but requires coordination to ensure consistent role semantics.

Principle of Least Privilege in Tokens

RBAC Constraints: Separation of Duties

Types of Separation of Duties:

Static Separation of Duties (SSoD)

•Enforced at role assignment time
•User cannot be assigned conflicting roles
•Simpler to implement and audit
•Can be overly restrictive
•Example: Can't have both Requester and Approver roles

Dynamic Separation of Duties (DSoD)

•Enforced at role activation time
•User can have conflicting roles but not activate both
•More flexible for users
•More complex to implement
•Example: Can have both roles but must choose one per session

Real-World SoD Examples:

Financial Controls:

Purchase Requester ⊗ Purchase Approver (no self-approval)
Journal Entry Creator ⊗ Journal Entry Poster (dual control)
Payment Initiator ⊗ Payment Releaser (fraud prevention)

IT Security:

Developer ⊗ Production Deployer (environment separation)
Access Requester ⊗ Access Approver (privilege control)
Audit Log Viewer ⊗ Audit Log Modifier (audit integrity)

Implementation:

def check_sod_violations(user_id: str, new_role: str) -> List[str]:
    """Return list of conflicting roles if SSoD would be violated."""
    current_roles = get_user_roles(user_id)
    conflicts = SOD_MATRIX.get(new_role, [])
    return [r for r in current_roles if r in conflicts]

def assign_role(user_id: str, role: str):
    violations = check_sod_violations(user_id, role)
    if violations:
        raise SoDViolationError(
            f"Cannot assign '{role}' - conflicts with: {violations}"
        )
    create_role_assignment(user_id, role)

Other RBAC Constraints:

Cardinality Constraints:

Maximum users per role (e.g., only 3 users can be SuperAdmin)
Maximum roles per user (prevent role accumulation)
Maximum permissions per role (prevent super-roles)

Prerequisite Roles:

Must have Role A before being assigned Role B
Creates role progression paths (Junior → Senior → Lead)

Time-Based Constraints:

Role assignments valid only during certain hours
Roles expire after a period (temporary elevated access)
Role activation requires approval if outside normal hours

SoD Bypass Risk

RBAC Limitations and Anti-Patterns

Fundamental RBAC Limitations

•Role Explosion — As systems grow, the number of roles proliferates to cover every combination of access needs. Having hundreds or thousands of roles defeats the simplicity benefit. Google reportedly had over 380,000 roles before moving to a different model.
•No Instance-Level Control — RBAC grants access to resource types, not resource instances. An 'Editor' can edit all documents, not just their own. Adding instance-level control requires augmenting RBAC with other mechanisms.
•No Context Awareness — Pure RBAC doesn't consider context like time of day, location, risk score, or resource state. 'Admin' has the same permissions at 3 AM from an unusual IP as during normal business hours.
•Static Nature — Role assignments are typically static, not responding to changing conditions. Emergency access, temporary privileges, and dynamic risk require additional mechanisms.
•Poor Multi-Tenancy Fit — RBAC doesn't naturally handle multi-tenant scenarios where the same role means different things in different tenants, or where cross-tenant access is needed.
•Relationship Blindness — RBAC can't express permissions based on relationships: 'managers can view their direct reports' data' requires knowing the management relationship, not just the role.

Common RBAC Anti-Patterns:

RBAC Anti-Patterns to Avoid
Anti-Pattern	Problem	Better Approach
User-Named Roles	Creating 'AliceRole' for unique access needs	Use ABAC for per-user rules or permission groups
Permission-per-Role	Each role has exactly one permission	Use direct permission assignment instead
God Role	Single 'SuperAdmin' role with all permissions	Separate admin functions into specific roles
Hierarchical Org Mapping	Role hierarchy mirrors org chart	Design roles around permission patterns
Role Accumulation	Users collect roles over time, never lose them	Implement regular access reviews, role expiry
Implicit Denial Bypass	Granting permissions to bypass checks	Fix the underlying authorization logic

When to Move Beyond RBAC

Summary: Role-Based Access Control

We've completed a thorough exploration of Role-Based Access Control—its theoretical foundations, practical implementation, and real-world limitations. Let's consolidate the key insights:

Key Takeaways

•RBAC uses roles as indirection — Users are assigned roles; roles contain permissions. This reduces permission management complexity significantly for organizations of any size.
•NIST defines four RBAC models — From flat (RBAC₀) to symmetric (RBAC₃), choose the simplest model that meets your requirements. Most applications need only RBAC₀ or RBAC₁.
•Role hierarchies reflect permission inheritance — Senior roles inherit from junior roles. Keep hierarchies shallow and based on permission patterns, not org charts.
•Implementation requires careful caching — Database queries for every permission check don't scale. Use multi-layer caching with appropriate invalidation strategies.
•Constraints enable security policies — Separation of duties, cardinality limits, and prerequisite roles enforce organizational security requirements.
•RBAC has fundamental limitations — Role explosion, no instance-level control, lack of context awareness, and relationship blindness drive organizations toward ABAC and ReBAC.

What's Next:

Page Complete

2 / 5