// GLOSSARY -- SECURITY & COMPLIANCE

What is Role-Based Access Control?

2 min read Updated

Role-Based Access Control (RBAC) is a security model that assigns permissions to roles rather than individual entities, and then assigns roles to users, agents, or processes — simplifying permission management and enforcing organisational policies at scale.

WHY IT MATTERS

RBAC is the standard access control model in enterprise systems. Instead of defining permissions per agent ('Agent-47 can call read_file and write_file'), you define permissions per role ('Editor role can call read_file and write_file') and assign roles to agents.

This simplifies management at scale. When you have 50 agents, changing the editor's tool access means updating one role definition rather than 50 individual YAML policies. New agents inherit appropriate tool permissions just by being assigned a role.

For MCP-based systems, RBAC maps naturally to YAML policy files. Each role gets its own policy file defining allowed tools and constraints. Agents are assigned to roles by configuring which policy file Intercept applies to their connection.

HOW POLICYLAYER USES THIS

Intercept implements RBAC through separate YAML policy files for each role. Define roles like 'reader' (read-only tools), 'editor' (read and write tools), or 'admin' (full tool access) — each as a YAML policy file. Assign agents to roles by routing their MCP connection through Intercept with the corresponding policy. Clean, scalable, and version-controllable.

FREQUENTLY ASKED QUESTIONS

How do I implement RBAC with Intercept?
Create a YAML policy file per role (e.g., reader.yaml, editor.yaml, admin.yaml). Each defines the tools and constraints for that role. Route each agent's MCP connection through Intercept configured with the appropriate role policy.
Can an agent have multiple roles?
In Intercept, you would compose multiple role policies into a single combined policy file. Be careful that combinations do not inadvertently grant excessive access — review the merged policy before deploying.
How is RBAC different from ABAC?
RBAC assigns static permissions to roles. ABAC (attribute-based access control) evaluates permissions dynamically based on attributes (time, context, argument values). Intercept's YAML policies support both: role-based tool allowlists with attribute-based argument constraints.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.