- 26
- March
What Is RBAC? — Role-Based Access Control in ERP Systems
RBAC (Role-Based Access Control) is a method of managing system access permissions based on user roles rather than individual identities. For example, a procurement officer sees only procurement menus, while an accountant sees only accounting menus — keeping data secure and easy to manage.
Quick Summary: RBAC = assign permissions by "Role," not by "User." When a new employee joins, simply assign the correct Role and all permissions follow automatically. No need to configure permissions one by one.
Why Is RBAC Essential in ERP Systems?
ERP systems contain critical data — financial records, employee information, procurement details. If everyone could access everything, the security risk would be enormous. RBAC solves this by ensuring each user sees only the data relevant to their job function, following the Principle of Least Privilege (minimum access necessary to perform the job).
Components of RBAC
RBAC consists of three core components that work together:
| Component | Definition | Example |
|---|---|---|
| User | A person with an account in the system, assigned at least one Role | Mr. Somchai (Procurement Officer), Ms. Somying (Accountant) |
| Role | A collection of permissions grouped by job function; one person can have multiple Roles | Procurement Officer, Accountant, Approver, System Admin |
| Permission | An authorization to perform a specific action, defined within a Role | View reports, Create purchase requests, Approve documents, Delete records |
RBAC Example in Saeree ERP
Here is how role-based permissions are configured in Saeree ERP for government organizations:
| Role | View Reports | Create Documents | Approve | System Settings |
|---|---|---|---|---|
| Procurement Officer | Procurement only | Purchase requests, Goods receipts | No | No |
| Accountant | Accounting only | Invoices, Journal entries | No | No |
| Department Head | Own department | Yes | Up to 100,000 THB | No |
| Director | All departments | Yes | All amounts | No |
| System Admin | All | Yes | No (separation of duties) | Yes |
Notice that the System Admin can configure the system but cannot approve documents — this is the principle of Separation of Duties, which prevents fraud.
RBAC vs DAC vs MAC — Comparison
| Aspect | RBAC | DAC | MAC |
|---|---|---|---|
| Stands for | Role-Based Access Control | Discretionary Access Control | Mandatory Access Control |
| Who sets permissions | System admin, based on Roles | Data owner decides | Central policy enforced |
| Flexibility | Moderate — flexible yet manageable | High — but hard to control | Low — very strict |
| Best suited for | Enterprises, ERP systems | Personal file systems | Military, classified environments |
| Example systems | Saeree ERP, SAP, Oracle | Windows File Sharing | SELinux, military systems |
Benefits of RBAC for Government Organizations
- Reduced data leakage risk — each user sees only data relevant to their job; salary data or procurement information does not leak to unauthorized personnel
- Audit-ready — the system logs which User has which Role and what actions they performed, enabling full traceability
- Easy role transitions — when staff transfer departments, simply change their Role instead of reconfiguring permissions one by one
- PDPA compliance — RBAC helps organizations restrict access to personal data only to those who need it, supporting Thailand's Personal Data Protection Act
- Works with Two-Factor Authentication (2FA) — RBAC defines "what you can see," while 2FA defines "how you prove who you are" — used together for maximum security
Related Articles
- Essential IT Terms for ERP Users End User
- Essential ERP Terms — 20 Key Words End User
- Data Security in ERP Systems Article
- What Is Two-Factor Authentication (2FA)? Article
- Migrating from Dynamics AX to Saeree ERP Article
