Skip to content

2. Role based access control

Role-Based Access Control (RBAC) in Databases

RBAC is a security model that assigns roles to users and grants permissions to those roles instead of individual users. This simplifies access management, improves security, and ensures compliance with the principle of least privilege (PoLP).

1. Key Concepts of RBAC

🔹 Users: Individuals or applications that need database access.
🔹 Roles: Groups of permissions assigned to users (e.g., admin, developer, read-only).
🔹 Permissions: Specific actions allowed (e.g., SELECT, INSERT, UPDATE).
🔹 Privileges: Rights to perform operations on database objects (e.g., tables, views, stored procedures).

2. Benefits of RBAC

✅ Simplifies permission management: Permissions are assigned to roles, not individual users.
✅ Enhances security: Prevents unauthorized access by following least privilege principles.
✅ Eases compliance: Helps enforce regulatory requirements (e.g., GDPR, HIPAA, PCI-DSS).
✅ Scales easily: New users can be added to existing roles without modifying permissions.

3. Implementing RBAC in Different Databases

3.1 PostgreSQL Example

-- Create roles
CREATE ROLE admin_role;
CREATE ROLE dev_role;
CREATE ROLE readonly_role;

-- Grant privileges to roles
GRANT ALL PRIVILEGES ON DATABASE mydb TO admin_role;
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO dev_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_role;

-- Assign roles to users
GRANT admin_role TO alice;
GRANT dev_role TO bob;
GRANT readonly_role TO charlie;

3.2 MySQL Example

-- Create roles
CREATE ROLE 'admin_role';
CREATE ROLE 'dev_role';
CREATE ROLE 'readonly_role';

-- Grant privileges to roles
GRANT ALL PRIVILEGES ON mydb.* TO 'admin_role';
GRANT SELECT, INSERT, UPDATE ON mydb.* TO 'dev_role';
GRANT SELECT ON mydb.* TO 'readonly_role';

-- Assign roles to users
GRANT 'admin_role' TO 'alice'@'localhost';
GRANT 'dev_role' TO 'bob'@'localhost';
GRANT 'readonly_role' TO 'charlie'@'localhost';

3.3 SQL Server Example

-- Create roles
CREATE ROLE admin_role;
CREATE ROLE dev_role;
CREATE ROLE readonly_role;

-- Grant privileges to roles
GRANT CONTROL ON DATABASE::mydb TO admin_role;
GRANT SELECT, INSERT, UPDATE ON SCHEMA::dbo TO dev_role;
GRANT SELECT ON SCHEMA::dbo TO readonly_role;

-- Assign roles to users
ALTER ROLE admin_role ADD MEMBER alice;
ALTER ROLE dev_role ADD MEMBER bob;
ALTER ROLE readonly_role ADD MEMBER charlie;

4. Best Practices for RBAC Implementation

✅ Follow the principle of least privilege (PoLP): Grant only necessary permissions.
✅ Use predefined roles for common use cases: E.g., admin, developer, analyst.
✅ Regularly review and audit roles and permissions: Prevent privilege creep.
✅ Use schemas for better organization: Assign different schemas for different teams.
✅ Enforce strong authentication mechanisms: Combine RBAC with Multi-Factor Authentication (MFA).

By using RBAC, organizations can ensure secure, scalable, and manageable access control in their databases.