RBAC Architecture
Role-Based Access Control (RBAC) decides what a user is allowed to do by assigning them roles, and granting permissions to those roles. This diagram shows the three RBAC tiers — users, roles (with inheritance), and permissions — and the eight-step authorization check flow a chatbot runs when Alice asks "Show me team sales for Q4". Hover over any user, role, or permission for details.
Interactive Demo
You can embed this MicroSim in your own page with the following iframe:
1 | |
Overview
The diagram has three horizontal tiers and two kinds of connections:
- User layer (blue) — Alice, Bob, Carol, and Dan, each an employee.
- Role layer (green) — Employee (the base role), Sales Rep, Sales Manager, HR Specialist, Finance, and standalone Admin. Dashed arrows show inheritance: Sales Manager inherits from Sales Rep, which inherits from Employee.
- Permission layer (orange) — fine-grained rights like
read_team_sales,read_pii,approve_discounts, and the*wildcard held only by Admin.
Solid arrows are direct user→role assignments and role→permission grants; dashed arrows are role→role inheritance. Because permissions flow down the inheritance chain, a Sales Manager automatically gets everything a Sales Rep and an Employee can do, plus their own.
The Authorization Check Flow in the right panel walks the runtime decision:
the system identifies Alice, gathers her roles, resolves the full permission set
through inheritance, checks that read_team_sales is present, and grants the
query.
Lesson Plan
- Resolve a permission set: Have students list every permission Alice has by following her inheritance chain.
- Trace a denial: Ask whether Bob (Sales Rep) could run "approve a discount" and explain why or why not.
- Compare inheritance vs. direct grant: Why is inheritance useful instead of granting each permission to each role directly?
- Reason about Admin: What are the risks of the
*wildcard, and how should it be protected?