Best Role-Based Access Control (RBAC) database model [closed]

To my rather basic knowledge in that area, the basic actors of an RBAC are:

  • Resources.
  • Permissions.
  • Users.
  • Roles (i.e. Groups).

Resources <- require -> (one or many) Permissions.

Roles <- are collections of -> (one or many) Permissions.

Users <- can have -> (one or many) Roles.

The tables for such a model would be:

  • permission
  • role
  • user
  • role_permission
  • user_role

Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.


Here is a simple diagram to illustrate Amr Mostafa's excellent answer

enter image description here


I happen to be working on the RBAC sub-system here at work at them moment... what a coincidence.

My model is based on the building blocks of the different entities in the system that require permissions, be they attributes to view/update or actions to perform. There are also, of course, different roles in the system (which can be given to users), and the glue that holds the whole thing together is the access rule, which connects a specific role, a specific permission-needing entity and the permission granted. An access rule might look like these:

rule 14: guest role + page name + read permission
rule 46: approver role + add column + execute permission

and so on. I'll leave the ERD as an exercise to the reader ;-) if you have questions, leave a comment.

Yuval =8-)