Ahem, it’s called Role-Based Access Control
Of late, on a quest, to educate the info sec community, the definition of RBAC. Not the first time. A couple years back, this role-infused rant:
And before that this:
But my efforts have fallen on deaf ears. One of the most persistent misnomers, is that RBAC doesn’t include permissions in the access control check decision.
There are repeat offenders. One is a well-known expert within the field of web application security.
The first time I had to correct him was after his JavaOne talk a few years back. There I heard that Role-Based Access Control is an anti-pattern.
‘Why do you call it an anti-pattern?’ I asked politely from the audience.
‘Because RBAC uses roles in the access control decision and what you really need to start using is permissions’ he confidently replied.
After the talk and everyone had left I quietly explained that RBAC is the name of a standard, and it requires that permissions be used in the access control decision.
I started to follow him on twitter and about a year later, more posts, with the same confusions, i.e. RBAC as anti-pattern. Again I corrected – politely, via twitter.
Now, there are pages, for which he’s a credited author, that continue to spread the same nonsense:
There is no such thing as permission-based access control. It’s called role-based access control, and it uses – permissions.