Nearly two-thirds of companies have 1,000 or more high-value files accessible to each employee. Role-based access control (RBAC) systems help organizations:
- Assign employee roles based on job duties
- Ensure roles and permissions are only issued to appropriate employees
Here are 6 real examples of RBAC implementations their challenges, solutions, and results.
Real-life RBAC Examples
1. Dresdner Bank
Major European bank with 368 different job functions and 1,300 roles.
Challenge: Manual Access Privilege Management
Each employee’s access privileges were manually handled at application level. Increased use of internal apps led to significant administrative overhead. Maintaining several application-level privacy files for each user was inefficient and didn’t align with overall security policy structure.
Bank changed its security system’s structure, administration, and control concepts by implementing RBAC.
Specific employee and role grouping: Before RBAC, employees could only be classified based on role, hierarchy, and organizational unit. With RBAC, employees assigned group-specific access permissions based on different factors (demographics, department).
Inheritance structure: Bank previously didn’t have role inheritance structure. Finance manager job title didn’t inherit ownership of closely related job titles like accounting specialist or bookkeeping assistant manager.
RBAC enabled bank to access rights inherited through role hierarchy, enabling fine-grained access control.
Example: Before RBAC implementation, the finance manager had to ask the accounting specialist to edit the monthly accounting notes. Now the finance manager accesses monthly accounting notes directly since the job title inherits the accounting specialist role.1
2. Interfaith Medical Center
U.S.-based multi-site community educational healthcare organization with 50,659 employees and 1,459 branches worldwide.
Challenge: Maintaining HIPAA Compliance
HIPAA requires setting role-based internal controls for employees to protect electronic healthcare patient data against inappropriate use.
Interfaith Medical Center administrators had to manually set the database configuration so only authorized employees (medical coders, healthcare managers) had access to patient data.
Solution and outcome: IT administrators used bulk management capabilities to create, remove, and edit numerous Active Directory accounts to set specific user permissions in single operation.
Centralized access management: Administrators ensured all network access is through login unique to employee and not shared.
Automated RBAC management: After bulk role-based access control implementation, company claims they can confidently manage 1,000+ user objects, 750+ mailboxes, and 850+ workstations with two DBAs and five help desk specialists. 2
Many hospitals now combine RBAC with time-bound access. Surgeon gets elevated access only during scheduled operation window, then permissions automatically revert.
Modern healthcare RBAC structure:
Doctors:
- Full access to patient medical records
- Ability to prescribe medication
Nurses:
- Access to treatment plans and vitals
- No access to diagnosis modification
Administrative Staff:
- Access to scheduling and billing
- No access to medical histories
IT Staff:
- Infrastructure access
- No visibility into patient content
3. Western Union
American international financial services firm with 5,000+ employees headquartered in Denver, Colorado.
Challenges Operating centralized identity warehouse: The company’s current systems didn’t allow them to glean source data from numerous apps in the identity warehouse, resulting in an unclear picture of user access controls. When managers requested access remediation, they had to go through the ticketing system; however, the system didn’t effectively update the user profile.
Time-consuming administration of access controls: Time spent administering access controls and reacting to regulatory changes was long. Each new hire required access to 7-10 applications and related permissions. Access was manually supplied, took ~20 minutes per person to submit access request and receive first-level approval.
Company expected to see who has access to which programs, services, and files, and how to assess whether that access complies with security policy.
Solution and Outcome: Western Union transitioned to identity and access management (IAM) platform with RBAC capabilities for ~750 applications.
Enhanced network visibility with an identity warehouse: Western Union began collecting all necessary role-based identity data from HR systems into a single identity warehouse, enabling full insight into users’ access privileges across a centralized environment with 600+ applications.
Robust user database management: Company claims role-based identity management solution streamlined provisioning procedure for departments that routinely hire new employees. Their provisioning of 50 users now takes 2.5 minutes, down from 14 minutes.3
Banks and fintech companies now treat RBAC as part of a zero-trust model with continuous auditing.
Modern financial services RBAC structure:
Fraud Analysts:
- Access to transaction patterns
- Cannot initiate transfers
Traders:
- Can execute trades
- Cannot modify risk models
Compliance Officers:
- Read-only access across systems
- Audit log visibility
AI Risk Models:
- Run under service accounts with narrowly scoped roles
- No human-level permissions
RBAC roles are now audited continuously. If an employee’s behavior deviates from their role’s normal pattern, access can be temporarily restricted pending review.
4. Large Bank (Site Reliability Engineering Team)
Large bank with a centralized site reliability engineering (SRE) team to oversee network security operations for all resources inside the firm.
Challenge: Manual Access Controls Through Kubernetes and Cloud Deployment
Manually maintaining access configuration across an increasing number of accounts was:
- Error-prone
- Didn’t comply with certain network audit controls
Solution and Outcome: Bank leveraged templates to define role-based access controls (RBAC) for the SRE team and assigned them to the organization’s accounts.
Enhanced control with access policy templates: Bank created templates to manage cloud Kubernetes and cloud service clusters for MongoDB instances across sub-accounts. Next, assigned the profile template to user accounts and provided the SRE team with the necessary policy templates. Finally, with role-based profile templates, SRE access was enabled in user accounts, and sub-account administrators lost the ability to change access controls.4
Most companies operate across multiple cloud providers with strict permission mapping.
Modern cloud infrastructure RBAC pattern:
Cloud Architects:
- Full design and provisioning rights
DevOps Engineers:
- Deployment and scaling permissions
- No billing authority
Security Team:
- Policy enforcement and audit access
- No resource creation rights
Developers:
- Environment-specific access (dev/test only)
Organizations increasingly block “wildcard roles.” Every permission must map to a clear business function, reducing the blast radius of compromised accounts.
5. VLI
Rail-based logistics provider in Brazil. Manages railroad system, 100 locomotives, over 6,000 train vehicles, with 8,000 employees and 1,000 contractors.
Challenge: Complex Supply Chain Access Controls: The company had difficulties assigning access to records of goods movement and transactions.
VLI’s CISO: “We have ~9,000 employees who need to use various systems to move trains, and we need a governed system for better timing; employees cannot wait to have access to unload the truck.”
Truck drivers and train operators had to continually sign on to systems to obtain information and transactions as part of their cargo routine, which slowed the process and reduced productivity. Despite the presence of vast IT and development teams, there was no mechanism to detect or track privileged individuals who accessed VLI servers.5
Solution and Outcome: VLI migrated to centralized user access control platform.
Fast user access management: VLI reached capacity to give the right users access to relevant resources at the right time. Reduced user access request response times from 5 days to seconds.
Secured servers: Secured servers by removing the requirement for shared authorized login information.
Reduced risk of malware and ransomware attacks: Limited number of non-administrator users with administrative access on endpoints and set up lists of reliable and untrusted apps and instructions, minimizing risk of cyber attacks.
6. Nine Entertainment
Australia’s largest domestically owned media company.
Challenge: Access Control Permissions: Maintaining custom-built solutions became a huge load on technical staff since they failed to manage thousands of access control permissions.
Solution and Outcome: Nine Entertainment created a unified directory with real-time AD sync and MFA to build standardized RBAC procedures.6
Unified access management: The company effectively uses 200+ connections to provide access to 50+ applications and multiple WordPress sites based on custom-built permissions.
Improved authentication controls: With software implementation, Nine Entertainment users no longer need to enter MFA codes; authentication occurs smoothly.
Example: With identity management and RBAC features, Nine Entertainment could detect users logging in from any location, such as the home office. If the user needs to enroll with identity-based authentication, they’re guided via a self-service, wizard-based enrollment procedure.
7. SaaS Company
Mid-size SaaS company runs dozens of tools: Git repositories, CI/CD pipelines, customer databases, analytics dashboards, ticketing systems.
RBAC in Practice
Backend Engineers:
- Read/write access to production code repositories
- Limited access to production databases (often read-only)
- No access to billing or HR systems
Product Managers:
- Read-only access to analytics and logs
- Write access to product configuration tools
- No access to source code or infrastructure
Customer Support Agents:
- Access to ticketing systems and masked customer data
- No direct database or server access
With AI copilots embedded in developer tools, companies now restrict which roles can trigger automated deployments or AI-driven code changes. RBAC prevents accidental or unauthorized actions initiated by AI integrations.
8. E-Commerce Platform: Protecting Revenue-Critical Systems
An e-commerce company separates access based on revenue risk.
RBAC in Action
Marketing Team:
- Access to CMS, promotions, and A/B testing tools
- No access to pricing engines or payment gateways
Merchandising Team:
- Product catalog and inventory access
- Limited pricing permissions
Finance Team:
- Refunds, invoicing, and reconciliation
- No content or campaign access
Third-Party Vendors:
- Role-restricted, temporary access
- No lateral movement across systems
RBAC is now tightly integrated with fraud prevention systems. Role change (marketer temporarily helping finance) triggers mandatory approval workflows and enhanced logging.
9. AI & Data Teams: Controlling Model and Data Access
AI adoption forced companies to rethink RBAC.
Modern RBAC Setup
Data Scientists:
- Access to training datasets
- No access to raw customer identifiers
ML Engineers:
- Model deployment permissions
- Limited data access
Business Analysts:
- Dashboard access only
- No model or data modification
AI Agents:
- Service roles with single-purpose permissions
- No cross-system access
RBAC now applies to non-human identities just as strictly as to employees.
What Is RBAC?
Role-based access control (RBAC) is model for managing user access to safeguard resources like information, applications, and systems from unauthorized access.
Figure 1: Role assignments of role-based access control
Problems Without RBAC
Applying the “least privilege” principle is difficult: Administrators can’t comprehend user roles and permissions. Might not identify the lowest degree of access an employee requires to accomplish tasks.
Onboarding takes longer: New-hire user permissions are submitted on a case-by-case basis via specific forms.
Job changes are complex: controlling access for people who switch jobs requires individualized adjustment requests.
Unauthorized access risk: Might involve misuse, causing mirrored access (Bert’s access appearing like Eva’s).
RBAC Demonstration: Assigning Roles and Permissions
Consider a dental office that subscribes to SaaS product to administer and promote healthcare services to potential customers with the following modules:
Billing module: Collects payments from insurance companies and patients for medical services covered by dental billing codes.
Sales module: Enables dental settings to categorize potential leads according to the likelihood of purchasing a product/service.
Setting Up Permissions
Dental office administrators use software’s user interface to assign permission access to various business functions.
Using drag-and-drop options, administrators create different permissions: “view,” “edit,” “create,” and “delete.”
Billing module permissions (billing manager only):
- view: billing_codes
- view: customer_ID
- create: invoice
Sales module permissions (sales manager):
- view: sales_database
- create: sales_database
- edit: sales_database
- delete: sales_database
After setting permissions, administrator creates “sales manager” role and assigns these permissions to that role, limiting other employees’ access to sales database.
Figure 2: Assessing RBAC policies for the “sales_manager” with user interface (UI) elements
Figure 3: Example of how the data.json file may look for the “billing_manager” and the “sales_manager” roles:
5 Benefits of RBAC
1. Limited Excessive Access
With the transition to cloud infrastructure, SaaS apps, and single sign-on (SSO), individuals and groups frequently inherit roles with excessive access. RBAC reduces this risk by defining groups and subgroups so that users have access only to what they need.
Example: Users submit images to a competition for the best travel photos. Only competition judges should see those photos. Policy allows any input in the “travel_photo_judges” position to examine the photo “travel_photo1997.jpg.”
This is accomplished via RBAC evaluation, which passes group information to the evaluation engine and determines if the input indicated in the permission request is a member of the group.
2. Unique Access Control Policies
RBAC systems provide more granular access control policies tailored to a company’s needs than mainframe systems do.
Example: RBAC systems administrators employ roles for administrative purposes by restricting network access based on an individual’s role, such as “guest user with limited permissions.”
3. Application Level Support
RBAC helps companies have a granular access approach by supporting permissions at the application level.
Example: RBAC can assign set of permissions in writing program that allows users to read, edit, and delete content.
4. Flexible Role Allocation
RBAC models build relationships between roles, permissions, and users. Two roles might be mutually exclusive, enabling single user to have two roles. Roles can inherit permissions provided to other roles.
Example: When permission is set, it can be allocated to numerous roles. Matt may hold both administrative and financial specialist roles, while Eva may only have a financial specialist role.
5. Demonstrating Compliance
Implementing RBAC helps financial institutions and healthcare providers demonstrate compliance with technical and operational standards, including HIPAA, PCI, and PHI.
Why Use RBAC?
Unauthorized network access accounted for 40% of third-party cyber intrusions in 2023. Considering that unauthorized access is one of the main drivers of data breaches, establishing RBAC is critical, especially for companies with several employees.
1. Improved Security
Minimized risk of unauthorized access: By assigning permissions based on roles rather than individuals, easier to ensure users only have access to information and resources necessary for their roles.
Apply the least privilege principle: Users are granted the minimum level of access required to perform their jobs, reducing the risk of internal data breaches and exposure to sensitive information.
2. Simplified Management
Ease of administration: Administrators can easily assign and manage user permissions by role rather than managing them on an individual basis.
Scalability: As organizations grow, new users are quickly assigned to predefined roles, streamlining the onboarding process and ensuring consistent access control policies.
3. Reduced Risk of Errors
Centralized control: Centralized management of roles reduces risk of human error in assigning permissions and ensures access policies are consistently enforced.
Clear accountability: Easier with RBAC to determine responsibility and accountability for access to sensitive resources.
4. Adhere to Compliance
Regulatory compliance: RBAC helps organizations comply with various regulatory requirements by ensuring access to sensitive data is controlled and documented.
Audit trails: Role-based nature of access control makes it easier to track and audit who has access to what resources, facilitating better monitoring and reporting.
Future of RBAC
Across industries, RBAC has shifted from:
Static job titles: Dynamic, task-based roles
Permanent permissions: Temporary, contextual access
Human-only control: Human and AI identity governance
RBAC is no longer just about “who can log in.” It’s about who can act, when, and under what conditions, with every action traceable.
Further reading
- Top 10 Microsegmentation Tools
- Intrusion Prevention: How does it work? & 3 Methods
- Role-based access control (RBAC)
- Network Segmentation: 6 Benefits & 8 Best Practices
- 80+ Network Security Statistics
- Network Security Policy Management Solutions (NSPM)
- Top 10 SDP Software Based on 4,000+ Reviews
- Top 10 Network Security Audit Tools Based on 4,000 Reviews
Reference Links
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Be the first to comment
Your email address will not be published. All fields are required.