RBAC (Role-Based Access Control)
RBAC grants permissions based on a user's assigned role — admin, member, moderator — rather than to the user individually, so access can be managed by changing role membership instead of editing per-user permissions.
Assigning permissions to individual users one at a time doesn't scale: a thousand-person organization would need a thousand separately maintained permission sets, and every access change would mean editing a specific person's record. Role-based access control fixes that by putting a layer of indirection between people and permissions: permissions attach to roles, and people are assigned to roles.
Changing what a "moderator" can do updates every moderator at once; changing who is a moderator is a one-line membership edit, not a rewrite of that person's entire permission set. Role bundles can also compose — an "admin" role might inherit everything a "member" role can do, plus more — which keeps the permission model legible even as it grows.
RBAC's limitation shows up with relationships that are specific to a pairing rather than a broad category — "this person can see this one client's data" doesn't fit neatly into a role someone either has or doesn't. That's usually where a system pairs RBAC with relationship-based access control (ReBAC) for the fine-grained cases roles handle awkwardly.
RBAC (Role-Based Access Control), in the product
Aanty uses role bundles for org-wide permissions (admin, member, moderator and similar) and pairs them with relationship tuples for fine-grained, per-pairing access — channel membership, guardian access, client-portal grants — so neither model is stretched to cover cases it wasn't built for.
Related terms and pages
See RBAC (Role-Based Access Control) in a real workspace
Bring a channel from wherever your team works today. In fifteen minutes we'll show what rbac (role-based access control) looks like on a real conversation, not a slide.