• Stay ahead with

    Permission-based access control (PBAC)

    Permission-based access control (PBAC) is a method of restricting access to application functionality and data based on permissions assigned to roles (or individual users).

    A table showing permission-based access control.

Dynamic access control that allow permissions to be adjusted as users’ roles evolve or as new responsibilities arise.

Access control that scales with you. New permissions can be defined and assigned without requiring a complete overhaul of your access control system.

Managing user access becomes more efficient with PBAC.

In PBAC for an application, functionality within the application is defined based on tasks a user can perform within the application.

Roles are then given a set of permissions to the functionality, that determine what actions users associated the role can be performed.

For example, consider a project management application. Functionalities could be defined  for “manage project”, “assign tasks to team members”, “view assigned tasks”, “update task status” and “generate reports”. Access to these functionalities can then be assigned to Roles. The “project managers” role might have permission to “manage project”, “assign tasks to team members”, “update task status” and “generate reports”, while the “team members” role might have permission to “view assigned tasks” and “update task status”.

A table showing permission-based access control.

Once roles are defined and associated with permissions, users can be assigned to those roles, and their access to application functionality and data will be restricted accordingly. For example, a user assigned to the “team members” role would only be able to perform the actions associated with that role, while a user assigned to the “project managers” role would have additional permissions to perform project management tasks.

Similar, but also different

At first sight this might look very similar to Role-based access control, but the implications of using a PBAC instead are:


  1. Flexible roles

When multiple organizations are using the same application, they are able to define different roles and permissions. Based on the example above there are no problem if an organisation wants to add a “assistant project managers” role, that are allowed to “assign tasks to team members” and “generate reports”.


  1. Simplicity

The growth of organisations will never affect the permissions model and each organisation can (if needed) define the roles they need. Applications won’t be affected by roles since they will always evaluate access to the functionality and never check if a user belongs to a specific role.


  1. Least privilege access

PBAC makes it possible to assign just the necessary permissions to each role and by doing that avoid access creep. This reduces the risk of unauthorized access and data breaches, as users always have just the necessary access.


  1. Full customization

PBAC systems allow for granular customization of roles and permissions for each organisation. This makes it easy to align their specific needs with your applications.


We recommend permission-based access control over role-based access control if possible.

FAQ: Permission-based access control

  • What is Attribute-based access control (ABAC)?

  • How can Attribute-based access control (ABAC) be implemented?

  • Will permission-based access control make initial configuration harder for new organisation’s using our applications?

  • Can we use PBAC even though our application is using RBAC today?

More from this category

    Have a question for us?