If you’re an admin, you spend a lot of time trying to get people the access they need, without putting everything else at risk.
Too much access means security gaps. Too little means broken workflows and a flood of support tickets. Somewhere in the middle is the sweet spot: giving people just enough access to do their job.
That’s the promise of access control. And for a while, RBAC, or Role-Based Access Control, looked like the answer. Assign roles like “admin” or “viewer,” and let the system do the rest. But in practice, RBAC creates new problems.
The trouble with RBAC
RBAC works by assigning users to predefined roles, each with a fixed set of permissions. It’s tidy in theory. In reality, it breaks down as soon as you try to model a real-world organization.
You either end up with too few roles, forcing people to share broad access they don’t actually need, or you spin up dozens of custom roles to handle edge cases, some of which may be necessary today, but will change tomorrow. That’s a recipe for confusion, inconsistency, and role sprawl.
Want a contractor to see just one customer’s network? That’s a new role. Need to let someone view logs but not change anything? Another role. Month after month, year after year, it’s access control by duct tape, and it gets harder to manage with every new team, region, or project.
How ReBAC changes the model
ReBAC, or Relationship-Based Access Control, starts with a different assumption: that access should follow the relationships between people, devices, and resources. It’s a model designed to reflect how real organizations actually work.
Instead of granting blanket permissions to roles, ReBAC lets you define access based on where someone sits in a hierarchy, be that an organization or a set of networks. You can grant access to a domain and have that permission cascade naturally to the networks and devices inside it. No role cloning. No guesswork.
Here’s a simple comparison:
– RBAC says: Lennon is a “Network Admin,” so he can manage every network in the company.
– ReBAC says: Lennon is an admin on Domain A. That gives him control over the networks and devices in Domain A, but nothing in Domain B.
It also works in the other direction. A user with access to a specific network might need to see basic information about its parent domain or related devices. ReBAC allows that, too — without exposing more than necessary.
Is it really ReBAC? Here’s how to tell
There’s a lot of noise in access control marketing. Vendors talk endlessly about “fine-grained permissions” or “dynamic roles,” but that doesn’t mean they’re using ReBAC.
The real signs of ReBAC are in how the system handles access. Does it give someone access because of their connection to a specific team, device, or project? If one change automatically updates who can see or manage something, that’s a good indicator it’s true ReBAC. And if the system reflects how your organization actually works — with managers overseeing teams, or contractors only seeing what they need — then it’s probably ReBAC. If not, you’re likely still dealing with traditional RBAC, just with more settings and labels.
Built for complexity, not just control
ReBAC wasn’t dreamed up by vendors. It came out of real-world access problems inside companies like Google and Microsoft, where traditional role-based models fell apart under scale. The research behind it is open, mature, and proven.
The goal isn’t complexity. The goal is balance. ReBAC offers:
– The precision needed to secure sensitive systems
– The flexibility to reflect organizational structure
– A model that’s easier to understand and maintain over time
ZeroTier One for Enterprise now supports ReBAC
We’ve started implementing ReBAC inside ZeroTier One for Enterprise. Domains, networks, and devices are now linked to reflect real ownership and intent. You can build access policies that make sense, without creating a role for every possible exception.
Want to see it live? Join our webinar for a walkthrough, plus a look at what’s coming next. Want to learn more? Request a demo today.
ReBAC isn’t just an upgrade. It’s a better way to think about access.
'%3e%3cg%20id='Final-Copy-2_2_'%20transform='translate(1275.000000,%20200.000000)'%3e%3cpath%20class='st0'%20d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg%20id='final---dec.11-2020'%3e%3cg%20id='_x30_208-our-toggle'%20transform='translate(-1275.000000,%20-200.000000)'%3e%3cg%20id='Final-Copy-2'%20transform='translate(1275.000000,%20200.000000)'%3e%3cpath%20class='st1'%20d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z%20M1.6,7c0-3.2,2.6-5.8,5.8-5.8%20h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath%20id='x'%20class='st2'%20d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0%20l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8%20c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath%20id='y'%20class='st3'%20d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0%20L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Your Privacy Choices