RBAC best practices: what access teams still miss

TL;DR: RBAC improves access governance only when roles, least privilege, reviews, logging, and offboarding are treated as operating controls rather than a one-time design exercise, according to Cerbos. The hard part is not defining roles but keeping them accurate as people, responsibilities, and permissions change.

NHIMG editorial — based on content published by Cerbos: Role-Based Access Control or RBAC best practices

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams design RBAC roles without creating privilege creep?

A: Start from actual duties, not reporting lines, and keep each role as small and reusable as possible.

Q: Why does RBAC fail when organisations do not review role assignments regularly?

A: Because RBAC depends on permissions staying accurate as people move, leave, or change responsibilities.

Q: What do security teams get wrong about least privilege in RBAC?

A: They often treat least privilege as a one-time policy choice rather than an ongoing entitlement discipline.

Practitioner guidance

• Rebuild roles around actual duties Map each role to the smallest stable task set, then remove permissions that exist only because of historical exceptions or org-chart inheritance.
• Separate conflicting entitlements explicitly Identify combinations of permissions that should never coexist and split them across distinct roles or approval paths.
• Tie access reviews to mover and leaver events Trigger reviews when someone changes function, team, vendor status, or contract state, then remove permissions that no longer match the current need.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step RBAC policy construction guidance for defining rules, scope, and ownership
• Practical examples of role hierarchy design and separation of duty decisions
• Implementation detail for logging, monitoring, and incident response around unauthorised access
• Maintenance advice for records, approvals, and permission changes over time

👉 Read Cerbos's guide to RBAC best practices and access control governance →

RBAC best practices: what access teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →