Role-Based Access Control solves the scaling problem in access management. A company with twenty employees can review permissions person by person. A company with two hundred cannot. RBAC introduces a middle layer: roles that map to business functions, and users who are assigned to one or more roles. When someone changes job or leaves, the change to their role membership is the single operation that corrects their access everywhere that role applies.
The discipline depends entirely on the quality of the role catalogue. Roles that are too broad (everyone in the finance team gets full read access to all finance systems) offer weak least-privilege guarantees. Roles that are too granular (one role per system per permission level) collapse back into per-user administration under a different name. The design challenge is finding the grain that matches how the organisation actually works, which almost always requires input from team leads rather than just the IT team.
For ISO 27001 Annex A auditors, RBAC provides the mechanism that makes access reviews tractable. Showing that a role was modified, reviewed, and approved is a single record rather than a per-user audit trail. The Askara Solutions agent surfaces the current role-to-user mapping as data, so joiner, mover, and leaver events propagate correctly and access reviews produce defensible records rather than spreadsheets rebuilt under audit pressure.