```{contents}
```
## Role-Based Access Control (RBAC)


**Role-Based Access Control (RBAC)** is a security model where **permissions are assigned to roles**, and **users receive permissions by being assigned roles**.

Instead of managing permissions per user, you manage them per **role**.

---

### Why RBAC Is Important

| Problem Without RBAC | Solution With RBAC           |
| -------------------- | ---------------------------- |
| Permission explosion | Centralized role management  |
| Inconsistent access  | Enforced policy              |
| High security risk   | Least-privilege enforcement  |
| Hard to audit        | Clear responsibility mapping |

---

### Core RBAC Concepts

```
User ── assigned to ──► Role ── grants ──► Permissions
```

| Entity     | Purpose        |
| ---------- | -------------- |
| User       | Identity       |
| Role       | Job function   |
| Permission | Allowed action |

---

### Example Roles & Permissions

| Role   | Permissions                            |
| ------ | -------------------------------------- |
| Admin  | create_user, delete_user, view_reports |
| Editor | edit_content, publish_content          |
| Viewer | read_content                           |

---

### Basic RBAC Implementation

#### Demonstration (Python)

```python
roles = {
    "admin": {"create_user", "delete_user", "view_reports"},
    "editor": {"edit_content", "publish_content"},
    "viewer": {"read_content"}
}

users = {
    "alice": {"admin"},
    "bob": {"editor"},
    "carol": {"viewer"}
}

def has_permission(user, permission):
    for role in users.get(user, []):
        if permission in roles.get(role, set()):
            return True
    return False
```

---

### Enforcing Access Control

#### Demonstration

```python
def perform_action(user, action):
    if not has_permission(user, action):
        return "Access Denied"
    return f"Action '{action}' executed for {user}"
```

---

### Dynamic Role Assignment

#### Demonstration

```python
def assign_role(user, role):
    users.setdefault(user, set()).add(role)

def revoke_role(user, role):
    users.get(user, set()).discard(role)
```

---

### RBAC with API Endpoints

#### Demonstration

```python
def api_handler(user, action):
    if not has_permission(user, action):
        return {"status": 403, "message": "Forbidden"}
    return {"status": 200, "message": "Success"}
```

---

### Principle of Least Privilege

Only assign **minimum permissions** required:

```python
assign_role("dave", "viewer")
```

---

### Mental Model

```
RBAC = Who you are → What you can do
```

---

### Key Takeaways

* RBAC simplifies permission management
* Improves security and auditability
* Enforces least privilege
* Essential for any multi-user system
