RBAC Examples - Inspiration & Best Practices

Role-Based Access Control (RBAC) is an authorisation model where access rights are assigned to roles rather than individual users. Users are assigned one or more roles, and each role contains a set of permissions that determine which actions and resources are accessible. RBAC significantly simplifies access management, especially in organisations with many users and complex hierarchies. Below we show how various platforms successfully implement RBAC.

Multi-tenant SaaS with organisation roles

A project management SaaS platform implemented RBAC at two levels: platform level and organisation level. At platform level, roles include Super Admin and Support. Within each organisation, roles such as Owner, Admin, Manager, and Member exist with decreasing privileges. The Owner can invite team members and assign roles, while Members only have access to their own projects. Row-level security in PostgreSQL enforces that users can never access data from other organisations.

• Two-tier RBAC: platform-wide and per organisation
• Row-level security in PostgreSQL for tenant isolation
• Invitation system with role selection during onboarding
• Audit logging of all role assignments and permission changes

Content management system with editorial workflow

A media organisation implemented RBAC in their CMS with roles reflecting the editorial workflow: Author, Editor, Chief Editor, and Publisher. Authors can create and edit articles but not publish them. Editors review and provide feedback. Chief Editors approve articles for publication. Publishers have full control including deleting published content. Every action is logged for compliance purposes.

• Workflow-based roles reflecting the editorial process
• Approval flows with automatic notifications per role
• Content-level permissions alongside section-level access
• Complete audit trail of all content actions per user

Healthcare application with compliance roles

A hospital system implemented RBAC conforming to healthcare compliance standards. Doctors have access to patient records within their own department, nurses see limited information relevant to their tasks, and administrative staff only access scheduling data. A break-glass mechanism allows doctors to temporarily gain extended access in emergencies, with every break-glass action logged and reviewed afterward.

• Department-based access control conforming to healthcare standards
• Break-glass mechanism for emergency access with audit logging
• Least-privilege principle for every role
• Periodic access reviews with automated reporting

E-commerce back office with granular permissions

An e-commerce company built a back office with RBAC where roles can be combined with individual permissions. The Warehouse Staff role grants default access to inventory management and shipping. Through granular permissions, a specific employee can receive additional access to returns management without modifying the entire role. A permission matrix provides visibility into which roles hold which rights, and changes require Admin approval.

• Combination of role-based and attribute-based access control
• Granular permission overrides on top of default roles
• Visual permission matrix for overview and management
• Approval workflow for permission changes

Developer platform with API-scoped roles

A developer platform implemented RBAC for API access with roles such as Read-Only, Developer, Maintainer, and Admin. Each API key is linked to a role that determines which endpoints and HTTP methods are accessible. Developers can read and write data but cannot modify configuration. Maintainers manage integrations and webhooks. The Admin has full control including user management and billing. Token scoping ensures API keys contain only the minimum required permissions.

• API key scoping based on RBAC roles
• Endpoint and method-level authorisation per role
• Token scoping following the least-privilege principle
• Rate limiting differentiated by role tier

Key takeaways

• RBAC simplifies access management by linking permissions to roles rather than individual users.
• Hierarchical and multi-level roles suit complex organisational structures and multi-tenant platforms.
• The least-privilege principle should guide design: grant each role only the minimum necessary permissions.
• Audit logging of all role assignments and access attempts is essential for compliance.
• Combining RBAC with attribute-based access control provides flexibility for exceptions.

How MG Software can help

MG Software implements robust RBAC systems that match your organisational structure and compliance requirements. From designing role hierarchies and permission matrices to technical implementation with row-level security and JWT claims — we ensure your authorisation layer is secure, manageable, and scalable.