Role Based Access Control is the standard means of authorization (access control). The other approach is ACLs, where a table defines who can do what. ACLs are only good for very small systems, because of the following reasons:
Example of an ACL
Usage of ACLs has led to broken authorization and access control all over applications, and authorization is limited only to critical operations to keep number of permits low.
But RBAC is here to save the day.
RBAC separates the concepts of Users, Roles and Permissions. Roles are defined in a system, then Permissions defined separately. Then the security administrator decides what role should be permitted to do what action, by assigning that role to the permission. Finally users are assigned to roles. The system does the rest.
That was NIST Level 1 standard RBAC above, and it still had issues. NIST Level 2 RBAC requires Roles and/or Permissions to be hierarchical, so that management of them can easily be handled in hierarchies. The figure below demonstrates a system in hierarchical RBAC:
A hierarchical RBAC model of a system
Blue: roles, Gray: users, Yellow: permissions
You are now ready for the next step: Before you begin