The Symas Blog

Keeping our clients up to date on big fixes, helpful tips, and more.

Ahem, it’s called Role-Based Access Control

by | Aug 5, 2016 | Application Security

Of late, on a quest, to educate the info sec community, the definition of RBAC.  Not the first time.  A couple years back, this role-infused rant:

Using Roles for Access Control is Not Role-Based Access Control

And before that this:

An Introduction to Role-Based Access Control

But my efforts have fallen on deaf ears.  One of the most persistent misnomers, is that RBAC doesn’t include permissions in the access control check decision.

There are repeat offenders.  One is a well-known expert within the field of web application security.

The first time I had to correct him was after his JavaOne talk a few years back.  There I heard that Role-Based Access Control is an anti-pattern.

‘Why do you call it an anti-pattern?’ I asked politely from the audience.

‘Because RBAC uses roles in the access control decision and what you really need to start using is permissions’ he confidently replied.

After the talk and everyone had left I quietly explained that RBAC is the name of a standard, and it requires that permissions be used in the access control decision.

I started to follow him on twitter and about a year later, more posts, with the same confusions, i.e. RBAC as anti-pattern.  Again I corrected - politely, via twitter.

Now, there are pages, for which he’s a credited author, that continue to spread the same nonsense:

https://www.owasp.org/index.php/Access_Control_Cheat_Sheet#tab=Permission_Based_Access_Control

There is no such thing as permission-based access control.  It’s called role-based access control, and it uses - permissions.

Speak With Us Today

Our staff are here to answer your questions. 650.963.7601