Role-Based Access Control(RBAC)
A model where permissions are granted to roles, and users are assigned to roles, rather than permissions being assigned per user.
In detail
Role-Based Access Control (RBAC) is the standard pattern for organising permissions in any application with more than a handful of users. Roles like "admin", "clinician", "finance" or "support" carry permissions, and users inherit permissions through their role. The advantage is that adding a new user is a single role assignment, and changing permissions for an entire role propagates instantly. RBAC is supported natively in most identity platforms (Microsoft Entra, Auth0, Okta) and most databases including Postgres.
Why it matters for Australian business
For Australian businesses with sensitive data (healthcare, NDIS, legal, financial) RBAC is a baseline expectation from auditors and regulators. The Privacy Act, AHPRA and NDIS frameworks all imply role-appropriate access controls. Vibe-coded apps frequently ship with a flat permission model where everyone can see everything. This is one of the first things we add when we audit and fix.