What is RBAC?

RBAC stands for Role-Based Access Control. It is an access management method in which users are granted access rights based on their role within the organisation.

Instead of assigning rights to individuals, you manage access by job function (e.g. operator, engineer, administrator).

RBAC is a widely used standard in both IT and OT and is recommended by, among others, ISO 27001, IEC 62443 and NIS2.

🎯 The aim of RBAC

• Limit excessive or unnecessary access rights
• Simplify management of access rights (through roles rather than individuals)
• Align access policy with functions and responsibilities
• Comply with security standards and audit requirements
• Support the “least privilege” principle

🔧 How does RBAC work?

RBAC works in 3 layers:

1. Users → are assigned to a role
2. Roles → represent a function group (e.g. Operator, Maintenance, Admin)
3. Rights/permissions → are assigned to the role (e.g. read-only, modify, execute)

A user therefore gains access through their role, not directly.

🧱 Example: an OT environment

🧠 RBAC vs. ABAC vs. DAC

✅ Benefits of RBAC

• Easy management of access rights per role
• Quick onboarding/offboarding of staff
• Less risk of overly broad access
• Easy integration with Active Directory or IAM
• Traceability and compliance for audits

🛠 Implementing RBAC

1. Identify functions/roles within the organisation
2. Determine which systems and actions are needed for each role
3. Map users to roles
4. Automate via IAM systems or directory services
5. Monitor and review regularly (e.g. through Access Review)

📌 In summary

RBAC controls access based on function or role, not per individual — easy to manage, scalable and easy to audit.