---
title: "Role-Based Access Control — AP Cybersecurity Definition"
description: "Role-based access control (RBAC) grants permissions based on a user's job role, not their identity. Learn how it fits Unit 4 authentication and authorization on the AP Cybersecurity exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Role-Based Access Control — AP Cybersecurity Definition

## Definition

Role-based access control (RBAC) is an access control model that assigns permissions to roles (like "nurse" or "accountant") rather than to individual users, so a person gets access based on the job they hold inside an organization.

## What It Is

Role-based access control ([RBAC](/ap-cybersecurity/key-terms/rbac "fv-autolink")) decides what you're allowed to do based on your **role**, not your name. Instead of handing permissions to each person one at a time, an admin builds roles like "HR manager" or "help desk technician" and attaches permissions to those roles. When someone joins the team, you drop them into a role and they instantly inherit everything that role can do. When they switch jobs, you swap the role.

This is the **[authorization](/ap-cybersecurity/key-terms/authorization "fv-autolink")** half of access control. Authentication (CED [Topic 4.2](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink")) proves *who you are*, using factors like something you know, have, or are. Authorization decides *what you can touch* once you're verified. RBAC is one of the major models for handling that second step. The big win is scalability and consistency: ten thousand employees become a few dozen roles, and everyone in the same role gets the same access, which kills the random one-off permissions that create security holes.

## Why It Matters

RBAC lives in **[Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices**, anchored to Topic 4.2 [Authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink"). It builds directly on the authentication objectives there. Once a system verifies identity (CED 4.2.C, determining the authentication factor used) it still has to decide what that verified user can access, and RBAC is how organizations answer that at scale. It connects to the core security goal behind EK 4.2.C.1: making sure *only authorized users* reach a system. RBAC enforces the principle of least privilege, giving each role only the access its job actually needs, which shrinks the damage an attacker can do if they crack one account.

## Connections

### Authentication factors (Unit 4)

Authentication checks your identity; RBAC checks your permissions. They run back to back. You log in with a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") or biometric (CED 4.2.C), then RBAC looks at your role to decide what you can open. One without the other is useless.

### DAC and MAC access control models (Unit 4)

RBAC is one of a family of [access control](/ap-cybersecurity/key-terms/access-control "fv-autolink") models. DAC lets the resource owner hand out permissions, MAC enforces system-wide security labels, and RBAC ties permissions to job roles. Knowing how they differ is the whole point of this corner of Unit 4.

### Password attacks and least privilege (Unit 4)

EK 4.2.B.1 says a cracked password gives an attacker everything that user could access. RBAC limits that blast radius. If a compromised account only holds a low-privilege role, the attacker is boxed in instead of roaming free.

### Access control lists and ACLs (Unit 4)

An ACL spells out which specific users or groups can touch a specific resource. RBAC is the cleaner, scalable cousin: instead of editing long per-resource lists, you manage a handful of roles, and the permissions flow from there.

## On the AP Exam

Expect RBAC in multiple-choice stems that describe a workplace scenario and ask which access control model fits, or that contrast it with DAC, MAC, and RuBAC. A typical stem gives you a setup like "a hospital wants every nurse to have identical record access" and asks you to name the model. You should be able to define RBAC in one sentence, explain that permissions attach to roles instead of individuals, and tie it to least privilege and the authorization step that follows authentication in Topic 4.2. No released FRQ uses the exact phrase, but RBAC supports the kind of secure-configuration reasoning Unit 4 questions reward.

## role-based access control vs DAC (discretionary access control)

RBAC ties access to your job role, set centrally by an admin. DAC lets the owner of a file or resource decide who gets in, at their own discretion. RBAC is consistent and scalable; DAC is flexible but easy to misconfigure because individual owners make the calls.

## Key Takeaways

- Role-based access control (RBAC) assigns permissions to roles, and users get access by being placed into a role rather than by being granted permissions one at a time.
- RBAC is the authorization step that follows authentication: first a system verifies who you are, then RBAC decides what you can access.
- RBAC enforces least privilege, so a compromised account only exposes whatever its role could already reach.
- On the exam, you'll usually distinguish RBAC from DAC, MAC, and RuBAC by matching each to a workplace scenario.
- RBAC lives in Unit 4, Topic 4.2, and ties into the goal of making sure only authorized users access a system (EK 4.2.C.1).

## FAQs

### What is role-based access control in AP Cybersecurity?

It's an [access control model](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 "fv-autolink") where permissions are attached to job roles, like "nurse" or "accountant," and users inherit those permissions by being assigned to a role. It shows up in Unit 4, Topic 4.2, as part of how systems handle authorization.

### Is RBAC the same as authentication?

No. Authentication proves who you are using a factor like a password or biometric. RBAC is authorization, deciding what a verified user can access. RBAC kicks in after authentication succeeds.

### How is RBAC different from DAC?

RBAC assigns access based on your role and is managed centrally by an admin, while DAC lets the owner of a resource decide who can access it. RBAC scales better and stays consistent; DAC is more flexible but easier to misconfigure.

### Why do organizations use RBAC instead of granting permissions one user at a time?

Managing thousands of individual users is error-prone and creates random permissions that become security holes. RBAC collapses that into a few roles, so onboarding, role changes, and offboarding are clean and consistent.

### How does RBAC limit damage from a password attack?

EK 4.2.B.1 notes that a cracked password gives an attacker everything that user could access. If RBAC keeps that account in a low-privilege role, the attacker is confined to that role's narrow permissions instead of the whole system.

## Related Study Guides

- [4.2 Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control#resource","name":"Role-Based Access Control — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:31.911Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control#term","name":"role-based access control","description":"Role-based access control (RBAC) is an access control model that assigns permissions to roles (like \"nurse\" or \"accountant\") rather than to individual users, so a person gets access based on the job they hold inside an organization.","url":"https://fiveable.me/ap-cybersecurity/key-terms/role-based-access-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is role-based access control in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's an [access control model](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 \"fv-autolink\") where permissions are attached to job roles, like \"nurse\" or \"accountant,\" and users inherit those permissions by being assigned to a role. It shows up in Unit 4, Topic 4.2, as part of how systems handle authorization."}},{"@type":"Question","name":"Is RBAC the same as authentication?","acceptedAnswer":{"@type":"Answer","text":"No. Authentication proves who you are using a factor like a password or biometric. RBAC is authorization, deciding what a verified user can access. RBAC kicks in after authentication succeeds."}},{"@type":"Question","name":"How is RBAC different from DAC?","acceptedAnswer":{"@type":"Answer","text":"RBAC assigns access based on your role and is managed centrally by an admin, while DAC lets the owner of a resource decide who can access it. RBAC scales better and stays consistent; DAC is more flexible but easier to misconfigure."}},{"@type":"Question","name":"Why do organizations use RBAC instead of granting permissions one user at a time?","acceptedAnswer":{"@type":"Answer","text":"Managing thousands of individual users is error-prone and creates random permissions that become security holes. RBAC collapses that into a few roles, so onboarding, role changes, and offboarding are clean and consistent."}},{"@type":"Question","name":"How does RBAC limit damage from a password attack?","acceptedAnswer":{"@type":"Answer","text":"EK 4.2.B.1 notes that a cracked password gives an attacker everything that user could access. If RBAC keeps that account in a low-privilege role, the attacker is confined to that role's narrow permissions instead of the whole system."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"role-based access control"}]}]}
```
