Back to all posts

How to Design Role-Based Access Control (RBAC) for Enterprise‑Grade Security

Amit Eyal Govrin

Amit Eyal Govrin

12 min read
How to Design Role-Based Access Control (RBAC) for Enterprise‑Grade Security

In most engineering organizations, automation and access control don’t evolve together. Teams adopt CI/CD, build internal tools, and roll out developer self-service, but permissions remain an afterthought. What begins as a convenience eventually becomes a security bottleneck, or worse, a compliance risk.

Kubiya fills this gap by proposing role-based access control (RBAC) to engineering workflows. It allows teams to establish context-aware, method-level permissions over regular DevOps actions, redeploying services, accessing secrets, or managing environments, without using identity-unaware static credentials or hand-written YAML policies.

This post walks through how to design a robust RBAC model using Kubiya, with practical examples and architectural guidance drawn from real-world use cases.

What Is Role-Based Access Control (RBAC) in Enterprise Environments

Blog image

RBAC is not a new thing, it is a standard role-based access control model, which correlates users to roles, and again roles to permissions. The Practical difficulty with that is how those mappings change over time, particularly in rapidly-moving engineering organizations.

Something like read-only access to developers, admin access to SREs, and special access to CI/CD pipelines would be typical in such an arrangement. However this flat model soon falls apart. Developers begin to require staging access. QA engineers desire to initiate deployments. On-call responders need access to secrets, in the short term.

Traditional RBAC doesn’t account for these nuances. It assumes that permissions are static and context-free. But access needs are dynamic: someone should be allowed to restart a service only if they’re on-call, using a verified channel, during an incident window.

Kubiya’s model embraces that complexity without turning it into chaos. By building context into RBAC, who is requesting, where they’re requesting from, what action they’re asking for, and under what conditions, it lets teams grant access safely without slowing anything down.

RBAC Challenges in Traditional Automation Workflows

Most automation tools were never designed with access control in mind. Engineers hard coded credentials into CI pipelines. They wire up Slack bots that trigger production workflows. They expose internal tools behind VPNs and call that security.

What gets missed is enforcement:

  • Who’s allowed to run this action?
  • Under what conditions?
  • What happens if the request is ambiguous?

Without structured access control, teams overcompensate by giving too many people too many permissions. A QA engineer who just needs access to staging logs ends up with credentials that could restart production. Worse, these access patterns are invisible, there’s no audit trail showing what was allowed, or why.

When something goes wrong, there’s no way to trace it back to an access policy failure. That’s not just a security issue, it’s an operational one. Teams lose confidence in their systems, and compliance becomes a game of manual checklists.

How Kubiya Implements Context-Aware RBAC

Kubiya embeds access control directly into the workflows teams already use, whether it’s Slack, GitHub, CLI tools, or internal dashboards. But unlike traditional tools, Kubiya doesn’t just check if someone has a role. It checks the full context of the request.

For example, let’s say a developer asks Kubiya in Slack to redeploy staging. Kubiya evaluates:

  • Is this user part of the staging-deployers group in GitHub?
  • Is the request coming from an authorized Slack channel?
  • Is it within working hours or part of an incident?
  • Has the user triggered similar actions recently?

If all checks pass, the action is executed automatically. If not, Kubiya can escalate, by requesting approval from a team lead or temporarily granting elevated access with audit logging.

The key idea is that Kubiya treats access as a first-class part of every interaction, not something bolted onto infrastructure. Every request flows through a policy engine that’s aware of identity, scope, and risk.

Access Control Building Blocks in Modern Developer Platforms

Access control design in the context of automation and internal tooling is not a matter of who is allowed to do what, but more so how access is structured in a manner that is flexible, safe, and transparent. The majority of contemporary platforms employ four fundamental elements to make this happen: roles, agents, policies, and workflows.

1. Roles

Roles describe what an individual can do. Rather than using broad categories such as admin or read-only, good access systems allow you to define narrow roles. E.g. you could create a deploy-to-staging role to QA, or a restart-service role to on-call engineers. These roles are simpler to reason about, and minimize the chance of accidentally granting excessive access.

2. Agents

Pieces that literally do the work are called agents. Just imagine them as laborers executing instructions in place of a user. An agent may cause a deployment, restart a container, or rotate a secret. Agents must also be strictly scoped to an environment or set of permissions, meaning your staging agent can not accidentally mutate production.

3. Policies

Policies determine how and when a role is usable. This is the place where context plays its role. It could be that you enable a developer to deploy to staging, but only between office hours, only through Slack and only when the person belongs to the QA team. Policies introduce real-world conditions to assist in enforcing least privilege without becoming obtrusive.

4. Workflows

Workflows bind it all together. When a person sends a Slack command, clicks a button in an internal portal, or executes a CLI command, that triggers a workflow. The workflow verifies the user roles, applies the policy in question and, assuming everything is OK, passes the request through an agent.

Real-World Use Cases

1. Controlled Deployment Access

A QA engineer sends a Slack command to deploy staging. Kubiya checks their role, verifies the Slack channel, confirms it's within a scheduled window, and proceeds without human intervention. No need to escalate, no YAML edits, just policy-based automation.

2. On-Call-Only Production Access

When an on-call engineer needs to restart a production service, Kubiya cross-references their status via PagerDuty. If they’re not on-call, the request is denied, or routed to an SRE lead for approval. This ensures that production access is both timely and scoped.

3. Temporary Access to Secrets

For incident response, engineers often need cloud credentials or database access temporarily. Kubiya allows for time-boxed access that automatically expires and is logged. No manual key sharing, no lingering privileges.

4. Pull Request-Based Escalation

If a pull request touches sensitive infrastructure paths, Kubiya automatically upgrades the review requirement. Even an admin can’t merge without additional review if the change impacts terraform/ or k8s/production.

5. Platform Self-Service with Guardrails

Developers use Kubiya to spin up isolated environments, but policies enforce constraints: which region, what memory size, and how long the environment lives. Everything runs under scoped agents and gets destroyed on timeout.

Example: Defining RBAC with Kubiya

Let’s walk through how to implement a real policy.

First, define a role:

role:
  name: restart-staging
  permissions:
    - restart:service
  scope:
    - environment: staging

Next, assign the role to a team:

user_mapping:
  github_team: 'dev-team'
  roles:
    - restart-staging

Then, build a policy:

policy:
  role: restart-staging
  conditions:
    - user_group: 'dev-team'
    - slack_channel: '#staging-ops'
    - time: '09:00-20:00'
  fallback:
    approval_required: true
    approver_group: 'platform-leads'

Finally, define a workflow that uses it:

workflow:
  name: restart_service
  steps:
    - access_check: restart-staging
    - confirm: "Do you want to restart the service?"
    - run_agent:
        action: restart
        target: 'service-api'

From the user’s perspective, they just send a message:

 /kubiya restart service-api

The system handles everything else, authorization, audit, escalation.

Best Practices for Role-Based Access Control (RBAC)

RBAC is about getting this balance between security and usability right. Open too much, and you may reveal critical systems. Too prescriptive, and teams put on the brakes. These practices will aid you to develop access controls that are secure, adaptable, and can be managed over the time.

Blog image

1. Start with Least Privilege, Not Broad Roles

Do not succumb to the temptation of assigning admin-level access to everyone, so that they can simply “unblock” things. Start with the smallest permissions and only give the minimum that is required. Smaller more focused roles, such as deploy-staging or view-logs are simpler to monitor and restrict compared to a single omnipotent role.

2. Keep Identity and Execution Separate

The decisions about access should not depend on the way the tasks are going to be executed. Leave the access system to worry about who is allowed to do what, and leave the actual operations to be done by separate components (such as agents, runners or bots). This isolation restricts the degree of trust you put in any single system, and helps keep risk in check.

3. Make Access Conditional, Not Static

The reality on the ground is not usually represented by the static roles. Rather than giving a person access with the vague just-in-case, apply conditions: only at working hours, only when they are on-call, only via verified channels such as Slack or a developer portal. Context-based access is more protective against overreach than slowing people down.

4. Use Temporary Access Whenever Possible

Lifetime access is difficult to track and usually not needed. Temporary permissions that last a day, a shift, or an incident lower risk and eliminate the requirement of continual manual clean up.

5. Log Everything and Make It Easy to Review

controlling access is not enough, you want to know how it is used. Ensure that all requests, approvals and denials are logged in full text: by whom, what was requested, and what was the result. These logs are required by the audits, as well as daily debugging.

FAQs

1. Can we integrate Kubiya with our existing identity system?

Yes. Kubiya supports GitHub, Google Workspace, Okta, Azure AD, and custom SAML providers.

2. What happens when a user doesn’t match a policy?

Kubiya either denies the request or routes it to an approver. Fallback behavior is configurable.

3. How is access logged?

All role checks, approvals, escalations, and executions are stored with full metadata: user, time, resource, and outcome.

4. Can RBAC change based on the environment?

Yes. You can define environment-specific scopes in both roles and agents. For example, restart-staging and restart-production can follow completely different paths.

About the author

Amit Eyal Govrin

Amit Eyal Govrin

Amit oversaw strategic DevOps partnerships at AWS as he repeatedly encountered industry leading DevOps companies struggling with similar pain-points: the Self-Service developer platforms they have created are only as effective as their end user experience. In other words, self-service is not a given.