RBAC
Role-Based Access Control
An authorisation model in which permissions are assigned through roles rather than to individual users — simpler management and auditability.
What is RBAC?
RBAC (Role-Based Access Control) is an authorisation model (formally described in the ANSI INCITS 359-2004 standard) in which permissions are not assigned to individual users, but to defined roles — and users are then assigned roles. This means that when an employee changes position, it is sufficient to change their role rather than reconfiguring dozens of individual permissions.
The standard RBAC model has four levels:
- Users — specific employees
- Roles — e.g. “Accountant”, “Sales Representative”, “Production Manager”
- Permissions — atomic operations (read invoice, issue invoice, delete customer)
- Relations — which permissions belong to which role
Advanced variants:
- Hierarchical RBAC — roles inherit permissions (Junior Accountant ⊂ Senior Accountant ⊂ Head of Accounting)
- Constrained RBAC — separation of duties: e.g. the same person cannot both issue an invoice and authorise its payment
- Dynamic RBAC — roles active depending on context (time, location, project)
When it is used
RBAC is the foundational authorisation model in every serious B2B software application. Its limitation: in complex scenarios (e.g. “this user only has access to their own clients in region X”) a role explosion occurs — here ReBAC or ABAC helps.
See the Security page and the API page.
Related terms
- ReBAC — a more advanced model for complex scenarios. See /en/glossary/rebac.
- SSO — authentication; RBAC is authorisation. See /en/glossary/sso.
- GDPR — RBAC restricts access to personal data. See /en/glossary/gdpr.
- ISO 27001 — Annex A.5.15 requires access management. See /en/glossary/iso-27001.
In Modulario
Modulario uses a hybrid model — RBAC as the base and ReBAC for more complex scenarios (e.g. “I can only see documents for projects I am part of”). Roles can be adjusted per module — an accountant can have full access to Invoicing but read-only access to CRM.
Modulario’s admin console displays a permission matrix — a clear table showing which role has access to which module and which operations. An ISO 27001 audit thus gives the employee straightforward evidence instead of having to search through code or XML configuration files.
Related terms
ReBAC
An authorisation model based on relationships between objects — access is derived from which teams and projects a user belongs to.
SSO
An authentication mechanism that allows a user to log in once and gain access to multiple applications without repeatedly entering a password.
GDPR
The EU regulation on personal data protection in force since 25 May 2018 — defines the rights of data subjects and the obligations of controllers.
ISO/IEC 27001
The international standard for an Information Security Management System (ISMS) — certification that demonstrates an organisation's maturity in IT security.
API
An interface through which different software systems communicate — in B2B SaaS typically a REST API or GraphQL over HTTPS.
Related Modulario modules
Implementing RBAC in your company?
Modulario covers most B2B processes modularly — deploy only what you need now and grow gradually. Book a free consultation.
Book a consultation