Role-Based Access Control (RBAC)
Domain 5 — Protection of Information Assets
Definition
RBAC is an access control model where permissions are assigned to roles rather than individuals, and users are assigned to roles based on their job functions. This simplifies administration, improves consistency, and makes access reviews more efficient. IS auditors evaluate RBAC by examining whether role definitions are appropriately scoped, whether role assignments match job responsibilities, and whether there is a process for role recertification.
Real-World Audit Scenario
I audited a bank that had 2,000 employees but 8,000 unique system roles. A financial controller had 12 different roles — each added ad-hoc by a different IT administrator over the years, with significant overlap and redundancy. Nobody could tell me exactly what access that controller actually had. We recommended a role rationalisation exercise to reduce roles to a manageable number, with a role ownership matrix and quarterly recertification. The result: 2,000 roles reduced to 120, with clear ownership and a quarterly review cycle.
Common Exam Trap
Don't confuse RBAC with "role mining" or "role engineering." The exam asks about RBAC as a control mechanism — understand how it prevents excessive access, not how to implement it technically.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →