User -> Role -> Rights
– In enterprise setting, access may be based on job function or role of a user
payroll manager, project member etc.
access rights are associated with role
User authenticate themselves to the system
User then can activate one or more role for themselves
RBAC Benefits
Policy need not be updated when certain person with a role leaves the organization
New employee should be able to activate the desired role
Revisiting least privilege
user in one role has access to a subset of the files
switch roles to gain access to other resources