Cross-Cutting Guides Intermediate 12 min read

RBAC Design Patterns: Building Maintainable, Least-Privilege Permission Systems

rbac access-control least-privilege policy-as-code identity

RBAC Design Patterns: Building Maintainable, Least-Privilege Permission Systems

Problem

Every permission system starts clean. One role for read-only users, one for editors, one for admins. Then a product requirement arrives that doesn’t quite fit. An analyst needs access to dashboards but not user records. A contractor needs write access to one bucket but not the rest. An on-call engineer needs elevated permissions but only on weekends. Each exception is handled with an ad-hoc assignment: a direct permission here, a copy-pasted role there, a wildcard that “we’ll tighten later.”

Six months on, the system has forty-three roles, twenty direct user-to-permission assignments, and three roles named “admin_v2”, “admin_final”, and “admin_new” with overlapping but non-identical permissions. Nobody knows which users hold which effective permissions. Access reviews are manual, quarterly, and routinely skipped because they take two days of spreadsheet work to prepare. When a developer leaves, their access is deprovisioned from the IdP but the twelve direct service account bindings they accumulated over two years remain active.

This is not an unusual situation. It is the default destination of any permission system managed without explicit design principles.

RBAC — role-based access control — is the correct foundation for most systems, but the name covers a wide range of implementations from “permissions assigned to roles instead of users” (the useful baseline) through to formally structured role hierarchies with segregation-of-duties constraints and policy-as-code enforcement (the maintainable state). The gap between the two is design.

This article covers the design patterns that distinguish maintainable RBAC from role sprawl: how to model roles correctly, how to structure hierarchies, how to enforce temporal access constraints, how to express policy as code, and how to detect and eliminate the anti-patterns that accumulate in ad-hoc systems.

Target systems: Kubernetes clusters (RBAC, ClusterRoles, RoleBindings), AWS IAM (permission boundaries, Service Control Policies), GCP IAM (custom roles, policy binding), and application-layer RBAC backed by any identity provider.

Threat Model

1. Privilege creep via accumulation. Users accumulate permissions over time as their responsibilities expand but old access is never revoked. An engineer moves from the platform team to the application team and retains both sets of access. The threat is not a single misconfiguration but the compounding effect of never removing access that is no longer needed.

2. Superuser role proliferation. A role that was originally cluster-admin for emergency break-glass scenarios becomes the default assigned to senior engineers “for convenience.” The blast radius of a compromised credential expands to match the most privileged role assigned to it.

3. Direct user-to-permission bindings that bypass role lifecycle management. A permission is assigned directly to a user for a time-limited task, the expiry date is not enforced, and the binding persists for years. Direct bindings do not appear in role-membership audits and are easy to miss in access reviews.

4. Misconfigured role inheritance. A role hierarchy grants editor all permissions of viewer plus additional ones. A new restricted-viewer role is created for contractors but inadvertently inherits from editor instead of viewer. Hierarchy mistakes silently grant more access than intended.

5. Segregation-of-duties violations. A single role or role combination allows a user to both approve a change and deploy it to production, or to both create invoices and authorise payments. This is the class of access control failure that enables insider fraud and is commonly required to be prevented by compliance frameworks (SOX, PCI-DSS).

Configuration / Implementation

Principle 1: A Role is a Job Function, Not a Person

The most common RBAC modelling mistake is creating person-specific roles. alice-admin, bob-readonly, contractor-john are not roles — they are users with role-sounding names. When Alice leaves, her “role” is deleted and her permissions disappear from the audit trail. When another Alice joins and needs similar access, a new role is created rather than using the existing one.

A role represents a job function that multiple principals can hold simultaneously and that exists independently of the current holder:

# roles.yaml — role definitions tied to job functions
roles:
  - name: platform-engineer
    description: "Manages cluster infrastructure, CI pipelines, and platform services."
    permissions:
      - kubernetes:cluster:read
      - kubernetes:namespace:write
      - kubernetes:workloads:write
      - ci:pipelines:write
      - secrets:platform:read

  - name: application-developer
    description: "Develops and deploys application services within assigned namespaces."
    permissions:
      - kubernetes:namespace:read
      - kubernetes:workloads:write
      - kubernetes:workloads:read
      - ci:pipelines:read
      - secrets:app:read

  - name: security-auditor
    description: "Read-only access to security tooling, logs, and policy outputs."
    permissions:
      - kubernetes:cluster:read
      - logs:audit:read
      - policies:read
      - vulnerabilities:read

The test: if you remove every current holder from a role, should the role still exist? If yes, it is a real role. If no, you have modelled a person.

Principle 2: Functional Decomposition Before Role Assignment

A single “user” role that grants all the permissions a typical user needs is the most common source of over-privilege. Most users need read access to most things and write access to a narrow subset. Combining read and write into a single role means the least-privilege access for a read-heavy user becomes the most-privilege access available without escalating to admin.

Decompose roles along the read/write/admin axis for each functional domain:

# Decomposed roles for a deployment pipeline domain
roles:
  - name: deployment-viewer
    description: "Read-only access to deployment state and history."
    permissions:
      - deployments:read
      - deployment-history:read
      - deployment-logs:read

  - name: deployment-operator
    description: "Can trigger deployments to non-production environments."
    inherits: deployment-viewer
    permissions:
      - deployments:trigger:staging
      - deployments:trigger:dev
      - deployment-rollback:staging

  - name: deployment-admin
    description: "Full deployment control including production."
    inherits: deployment-operator
    permissions:
      - deployments:trigger:production
      - deployment-rollback:production
      - deployment-config:write

A developer who needs to monitor deployments without triggering them gets deployment-viewer. An on-call engineer who needs production rollback gets deployment-admin for the duration of the on-call shift only (see temporal access patterns below). The permissions granted match the work being done, not the seniority of the person doing it.

Principle 3: Role Hierarchy Design — When to Flatten, When to Nest

Role inheritance (a role that inherits all permissions of a parent role plus additional ones) is powerful and dangerous in roughly equal measure. It reduces duplication and keeps role definitions readable, but deep hierarchies become opaque: a user assigned deployment-admin may hold sixty permissions through three levels of inheritance, and nobody auditing the system can see that without tracing the hierarchy.

Use shallow hierarchies (one or two levels) when permissions are additive and the inheritance is obvious. deployment-operator inheriting deployment-viewer is clear: operators can do everything viewers can, plus trigger deployments.

Flatten to explicit permissions when the inheritance would create unexpected grants. If senior-engineer would inherit from both platform-engineer and application-developer, the union of permissions may grant access to secrets from both domains simultaneously. In this case, define senior-engineer explicitly with only the permissions it needs rather than inheriting a superset.

Never inherit from admin roles. Any role that inherits from cluster-admin, iam-admin, or equivalent becomes an admin role by another name. Admin capabilities should be explicit in the role definition, never implied through inheritance.

Principle 4: Temporal Access Patterns — JIT Over Standing Privileges

Standing privileges are permissions held continuously regardless of whether they are actively needed. An engineer with continuous production-admin access poses a permanent risk even when they are not performing production operations. The window of compromise from a stolen token is unlimited.

Just-in-time (JIT) access replaces standing high-privilege assignments with time-boxed role grants that activate on request and expire automatically:

# jit-access-request.yaml — Teleport Machine ID or similar JIT system
jit_access_policy:
  role: production-admin
  max_duration: 4h
  requires:
    - approval_from: oncall-lead
    - reason: required
    - ticket: required
  auto_expires: true
  audit:
    log_level: verbose
    notify: security-team@example.com

Implementing JIT access in practice:

  • Teleport — Role requests with approval workflows and automatic session termination.
  • AWS IAM Identity Center — Permission sets can be time-boxed; integrate with AWS Access Analyzer to flag unused standing grants.
  • GCP Privileged Access Manager — Managed JIT grants for projects, folders, and organisations with audit logging to Cloud Audit Logs.
  • HashiCorp Vault — Dynamic secrets with TTLs serve as JIT credentials for databases, cloud providers, and Kubernetes service accounts.

For roles that cannot use a JIT system, implement maximum session duration at the IdP layer. AWS IAM role sessions can be configured with MaxSessionDuration; Kubernetes ServiceAccount tokens can use expirationSeconds in the TokenRequest API.

Principle 5: Policy-as-Code for RBAC

Storing role definitions in version-controlled files and generating platform-specific RBAC configuration from a single source of truth eliminates drift between environments and provides a review trail for every permission change.

Single source of truth in YAML, generated Kubernetes RBAC:

# roles/application-developer.yaml — source of truth
name: application-developer
description: "Develops and deploys application services."
kubernetes:
  namespaced: true
  rules:
    - apiGroups: ["apps", ""]
      resources: ["deployments", "pods", "services", "configmaps"]
      verbs: ["get", "list", "watch", "create", "update", "patch"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get", "list"]
      resourceNames: ["app-config"]  # named resource, not wildcard

A code generation step produces the Kubernetes ClusterRole or Role manifest from this definition. The manifest is never hand-edited — changes go through the YAML source, which means they go through git history and code review.

OPA/Rego policy enforcing RBAC constraints in Kubernetes:

# policy/rbac-constraints.rego
package rbac.constraints

# Deny ClusterRoles with wildcard resource access
deny[msg] {
  input.request.kind.kind == "ClusterRole"
  rule := input.request.object.rules[_]
  rule.resources[_] == "*"
  msg := sprintf("ClusterRole %v must not use wildcard resources", [input.request.object.metadata.name])
}

# Deny direct RoleBindings to users — use groups
deny[msg] {
  input.request.kind.kind == "RoleBinding"
  subject := input.request.object.subjects[_]
  subject.kind == "User"
  msg := sprintf("RoleBinding %v must bind to a Group, not a User directly", [input.request.object.metadata.name])
}

# Deny any role granting secrets/* with wildcard verbs
deny[msg] {
  input.request.kind.kind == "ClusterRole"
  rule := input.request.object.rules[_]
  rule.resources[_] == "secrets"
  rule.verbs[_] == "*"
  msg := sprintf("ClusterRole %v must not grant wildcard verbs on secrets", [input.request.object.metadata.name])
}

This Rego policy runs as a Kubernetes admission webhook (via OPA Gatekeeper or Kyverno) and blocks non-conforming RBAC objects at the API server level — no non-conforming ClusterRole can be applied regardless of who applies it.

AWS IAM permission boundaries as policy-as-code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowedServicesBoundary",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket",
        "logs:CreateLogGroup",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyIAMEscalation",
      "Effect": "Deny",
      "Action": [
        "iam:CreateRole",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:PassRole"
      ],
      "Resource": "*"
    }
  ]
}

Permission boundaries act as a ceiling on what any role or user within a boundary can do, regardless of what identity policies they hold. They are the AWS equivalent of a deny-override in OPA: even if a developer is granted AdministratorAccess, the permission boundary prevents IAM escalation actions.

AWS Service Control Policies (SCPs) applied at the AWS Organizations level provide the same ceiling across all accounts in an OU:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrganization",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    },
    {
      "Sid": "RequireMFAForConsole",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Principle 6: Segregation of Duties Enforcement

SoD constraints prevent any single role — or role combination held by a single user — from completing a sensitive end-to-end workflow without involving a second party. The canonical examples are: approver and deployer for production changes, creator and approver for financial transactions, developer and reviewer for code that goes to production.

Modelling SoD in RBAC requires explicit mutual exclusion: certain role pairs cannot be held simultaneously.

# sod-constraints.yaml
segregation_of_duties:
  - constraint_id: SOD-001
    description: "No user may hold both change-approver and change-deployer roles."
    mutually_exclusive:
      - change-approver
      - change-deployer
    enforcement: hard  # assignment fails if constraint is violated

  - constraint_id: SOD-002
    description: "No user may hold both invoice-creator and invoice-approver roles."
    mutually_exclusive:
      - invoice-creator
      - invoice-approver
    enforcement: hard

  - constraint_id: SOD-003
    description: "Security-auditor and security-admin roles cannot be co-assigned."
    mutually_exclusive:
      - security-auditor
      - security-admin
    enforcement: soft  # assignment succeeds but generates alert

Enforcement at provisioning time prevents the violation from ever being created. Enforcement at access review time detects violations that predate the constraint or were introduced through system migrations.

For Kubernetes specifically, SoD is enforced structurally: separate ClusterRoles for deployment-approver (can annotate a Deployment with approved status) and deployment-executor (can update the Deployment itself), bound to separate groups in the IdP. A user in both groups violates the SoD — detect this with periodic review of IdP group memberships against the SoD constraint list.

RBAC Anti-Patterns

Role explosion. The system has more roles than users. Each unique permission combination got its own role rather than composing from a smaller set. Resolution: consolidate roles by permission overlap analysis. Any two roles with more than 80% permission overlap are candidates for merging or for refactoring into a base role plus a delta role.

The superuser default. The most commonly assigned role is admin or cluster-admin because scoped roles take time to design. The blast radius of every compromised credential is unbounded. Resolution: design scoped roles before any role assignment is made. Block cluster-admin binding via admission policy except for named break-glass accounts.

Direct user-to-permission bindings. User Alice has secrets:read assigned directly because “it was faster than creating a role.” Direct bindings do not participate in role reviews, do not appear in role membership queries, and persist after Alice’s roles are deprovisioned. Resolution: enforce via admission policy that every permission assignment goes through a role. Allow no direct user-to-permission bindings in IAM or Kubernetes.

Roles with no members. The contractor-2024-q1 role has zero members because the contractors finished their engagement in March. It still exists, still has permissions defined, and is available for re-use or accidental assignment. Resolution: detect and delete roles with zero members. Any role that has had zero members for 90 days is a candidate for removal after confirming it is not reserved for future use.

Roles with all permissions. A role named operations that holds every permission in the system because “operations needs to be able to do anything.” This is admin under a different name. Resolution: audit roles for permission coverage. Any role holding more than 60% of available permissions in a scope is likely a superuser by another name and should be decomposed.

Access Reviews and Automated Detection

Quarterly access reviews are a compliance requirement (SOC 2, ISO 27001, PCI-DSS) and a security control. Manual reviews are typically incomplete because the data preparation is expensive. Automate the data layer so the review itself can focus on judgment, not spreadsheet maintenance.

Detection queries — unused roles (AWS):

import boto3
from datetime import datetime, timezone, timedelta

iam = boto3.client('iam')
cutoff = datetime.now(timezone.utc) - timedelta(days=90)

for role in iam.list_roles()['Roles']:
    last_used = role.get('RoleLastUsed', {}).get('LastUsedDate')
    if last_used is None or last_used < cutoff:
        print(f"STALE ROLE: {role['RoleName']} — last used: {last_used or 'never'}")

Detection — Kubernetes RoleBindings with no active subjects:

# Find RoleBindings whose subjects no longer exist in the IdP group list
kubectl get rolebindings -A -o json | jq -r '
  .items[] |
  select(.subjects != null) |
  {
    namespace: .metadata.namespace,
    name: .metadata.name,
    subjects: [.subjects[].name]
  }
' | diff - <(ldap-group-query --format=json)

Automated certification workflow:

# access-review-automation.yaml — quarterly review trigger
schedule: "0 9 1 */3 *"  # 09:00 on the first day of each quarter
steps:
  - name: generate-access-report
    action: query-iam-and-rbac
    output: access-report-{{ date }}.csv

  - name: send-certification-requests
    action: send-email
    template: access-certification-request
    recipients: "{{ role_owners }}"
    deadline: "+14 days"

  - name: revoke-uncertified-access
    action: revoke-roles
    condition: "certification_status == 'pending' AND deadline_passed == true"
    notify: security-team

Access reviews should produce a record: who certified what access, on what date, with what justification. This record is the evidence artefact for compliance audits and for post-incident investigation.

Kubernetes RBAC in Practice

Kubernetes RBAC has four object types: Role, ClusterRole, RoleBinding, ClusterRoleBinding. The design principles above apply directly:

  • Use Role and RoleBinding (namespace-scoped) by default. Promote to ClusterRole only when the access genuinely spans namespaces.
  • Never bind cluster-admin to non-break-glass accounts. Create a scoped ClusterRole instead.
  • Use Group subjects in RoleBindings, not User subjects. Group membership is managed in the IdP; individual user bindings bypass IdP-controlled provisioning.
  • Name roles after job functions: namespace-developer, log-viewer, secret-reader. Avoid role names that encode person or team names.
  • Restrict secret access by resourceNames where possible: bind a service account to read a specific named secret rather than secrets/*.
# ClusterRole: log-viewer — read-only access to pod logs cluster-wide
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: log-viewer
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "watch"]
---
# ClusterRoleBinding: bind to security-audit group from IdP
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: log-viewer-security-audit
subjects:
  - kind: Group
    name: security-audit  # resolved by OIDC provider
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: log-viewer
  apiGroup: rbac.authorization.k8s.io

Verification

After implementing structured RBAC, verify correctness and completeness with these checks:

# 1. Confirm no direct User subjects in RoleBindings (Kubernetes)
kubectl get rolebindings,clusterrolebindings -A -o json \
  | jq '[.items[].subjects[]? | select(.kind == "User")] | length'
# Expected output: 0

# 2. List all cluster-admin bindings — should be break-glass accounts only
kubectl get clusterrolebindings -o json \
  | jq -r '.items[] | select(.roleRef.name == "cluster-admin") | .metadata.name'

# 3. AWS IAM — find roles unused in 90 days
aws iam generate-credential-report && aws iam get-credential-report \
  | python3 -c "import sys,csv,base64; [print(r['user'],r['access_key_1_last_used_date'])
    for r in csv.DictReader(base64.b64decode(sys.stdin.read().split('\"Content\"')[1]).decode().splitlines())]"

# 4. Verify OPA/Gatekeeper constraints are enforced
kubectl apply --dry-run=server -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-wildcard-role
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
EOF
# Expected: admission webhook rejection

Summary

Maintainable RBAC is not a configuration task — it is a design discipline. The patterns that produce durable, auditable permission systems are:

  • Role = job function. Roles exist independently of the people who hold them. No person-specific roles.
  • Functional decomposition. Separate read, write, and admin roles for each domain. Never conflate them in a single “user” role.
  • Shallow hierarchies. Inherit permissions one or two levels deep. Flatten when inheritance would produce unexpected grants.
  • JIT over standing privileges. Time-box high-privilege access. Standing admin access is a standing risk.
  • Policy-as-code. All role definitions live in version control. Platform-specific RBAC is generated, never hand-edited. Admission policies enforce constraints at apply time.
  • SoD constraints. Mutually exclusive roles prevent any single principal from completing sensitive end-to-end workflows without a second party.
  • Regular automated reviews. Quarterly certification with automated data generation. Detect and remove stale roles, stale bindings, and direct user-to-permission assignments.

The access control system that was clean on day one drifts toward over-privilege without active design decisions at each step of its evolution. Structured RBAC with these patterns in place does not eliminate the drift — it makes the drift detectable and the correction routine.