Contact Us Request Consultation
Back to CyberPedia
Relationship-Based Access Control

What Is Relationship-Based Access Control?
How ReBAC Works & Best Practices

ReBAC grants access based on the links between users and resources — like owner, member, or team mate. Google built Zanzibar on this model for YouTube, Drive, and Cloud. This guide covers what ReBAC is, how it works (5-step graph traversal visual), common link types (ownership, parent-child, group, collaboration), ReBAC vs RBAC vs ABAC comparison table, pros and cons, best practices, and 7 FAQs.

10 min read
Identity & Access Management
3 views

What Is Relationship-Based Access Control?

Relationship-based access control (ReBAC) is a security model that grants or denies access based on how users and resources are linked to each other. Instead of checking a user’s role or a list of attributes, it looks at the relationship between the person and the thing they want to reach.

Here’s a simple way to think of it. You share a Google Doc with your team. Anyone on the team can edit it. But someone outside the team can’t — even if they have the same job title. The permission isn’t based on role. It’s based on the link between the user and the file. That’s ReBAC in action.

This model first gained ground in social networks — where access depends on whether two users are friends, followers, or members of the same group. However, it has since spread far beyond social media. Google built Zanzibar, a global ReBAC system, to handle access for YouTube, Drive, Cloud, Maps, and more. And firms like Airbnb and Carta have shifted to ReBAC-style systems as their access needs grew.

So what makes relationship-based access control different? With RBAC, access follows the role. With ABAC, access follows the attributes. However, in ReBAC, access follows the relationship. If there’s a valid link between the user and the resource — like owner, member, or team lead — authorization is granted. Otherwise, it’s denied. This makes ReBAC the most natural model for apps where data is shared, nested, or owned by users.

ReBAC in One Line

Access is based on the link between the user and the resource — like owner, member, or team mate. If a valid path exists in the graph, access is granted. Otherwise, it’s denied. No roles needed. Just real connections.

How Relationship-Based Access Control Works

Essentially, every ReBAC system follows the same core flow. It uses a graph of nodes (users and resources) and edges (the links between them). Here’s how it plays out.

Step 1
Entities and Links Are Defined
Admins define the types of entities (users, teams, folders, files) and the types of links between them (owner, editor, viewer, member). These form the nodes and edges of a directed graph.
Step 2
Links Are Created
When a user creates a file, they become the “owner.” When they share it with a team, each team member gets a “viewer” or “editor” link. These links are stored in a graph database — like Google Zanzibar.
Step 3
User Requests Access
A user tries to open, edit, or delete a resource. The system picks up the request and checks the graph for a valid path between the user and the resource.
Step 4
Graph Is Traversed
The system walks the graph — checking direct links (user → file) and indirect links (user → team → folder → file). When a valid path exists that matches the required link type, access is granted. Otherwise, it’s denied.
Step 5
Event Is Logged
Every access check is recorded — who asked, what they asked for, which path was found (or not), and the result. These logs support audit, compliance, and debug needs.

This flow runs for every request. Because permissions are derived from real links, they update on their own when links change — like when a user joins a team or leaves a project. As a result, ReBAC stays in sync with how people actually work.

Common ReBAC Relationship Types

ReBAC supports many types of links. Here are the ones you’ll see the most — and how each one drives access.

Ownership
The user who created the resource owns it — and has full control. For instance, if you create a doc, you can read, edit, share, and delete it. Ownership is the most basic and most powerful link in ReBAC.
Parent-Child
Resources nested inside other resources inherit access. For example, if you can access a folder, you can access every file in it. This cuts the need to set permissions on each item one by one.
Group Membership
Users who belong to a team or group share a common set of access rights. When a user joins the group, they get access. And once they leave, they lose it. No manual changes are needed.
Collaboration
A user is linked to a resource as a contributor, reviewer, or approver. This is common in project tools, code repos, and content platforms — where access depends on the user’s role in that specific project.

ReBAC vs RBAC vs ABAC

Notably, the question of ReBAC vs RBAC and ABAC comes up the most. So here’s how they compare side by side.

Feature ReBAC RBAC ABAC
Access Based On User-resource links Job role User + context attributes
Granularity ✓ Per-resource ◐ Per-role ✓ Per-attribute
Handles Hierarchy ✓ Native — parent-child ◐ With role hierarchy ✕ Not built in
Dynamic Updates ✓ Auto — when links change ✕ Manual role swaps ◐ Semi-dynamic
Best For Collab tools, SaaS, social apps Mid-size, role-driven firms Complex, regulated setups
Real-World Example Google Drive, GitHub, Airbnb Active Directory, Azure AD AWS IAM policies

When to Choose ReBAC

Use RBAC when access is driven by job function. Use ABAC when you need fine-grained, attribute-based rules. However, choose ReBAC when access depends on how users and resources are connected — like ownership, team membership, or project links. Consequently, ReBAC is the best fit for SaaS platforms, collab tools, multi-tenant apps, and any system where data is shared, nested, or user-owned.

Related Guide
Compare All Access Control Models

Pros and Cons of Relationship-Based Access Control

ReBAC is powerful for connected, user-driven apps — but it’s not without trade-offs. Here’s a clear view of both sides.

Advantages
Mirrors real-world connections — permissions follow how people actually work
Auto-updates — when links change, permissions change on their own
Handles hierarchy — parent-child links cascade access down the tree
Reduces human error — no need to set per-user or per-file rights by hand
Stops role explosion — one link model replaces dozens of roles
Limitations
Complex to set up — needs careful graph and link design up front
Can be heavy on compute — large graphs need fast traversal at scale
No context checks — can’t factor in time, location, or device on its own
Hard to debug — tracing a denied request through a deep graph is tough

Relationship-Based Access Control Best Practices

Here are the ReBAC best practices that help you get this model right.

First, map your entities and links before you build. List every type of user, resource, and link your app needs. Keep the link types simple and well-named. Because the whole system runs on this graph, getting the design right from the start saves huge effort later.

Then, use your existing data. Most apps already store links — like who created a file, who’s on a team, or who owns a project. Build your ReBAC graph on top of this data instead of creating a new one from scratch. Consequently, you get accurate, live permissions with less extra work.

Also, start with the three core link types. Ownership, group membership, and parent-child cover 80% of use cases. Add more link types only when you need them. This keeps the graph lean and easy to manage.

Combine, Monitor, and Evolve

Layer ReBAC with RBAC or ABAC. ReBAC handles who is linked to what. However, it can’t check context like time, location, or device. So layer ABAC or RBAC on top for those checks. This hybrid model gives you the best of both: link-based access plus context-aware rules.

Monitor graph growth. As your app scales, the graph grows — with more nodes, edges, and paths to check. Applying least privilege at the link level keeps the graph lean. So keep an eye on graph size and query speed. Use a fast graph database and cache results where you can.

Finally, audit and review links on a set basis. Stale links are a risk — like a user who left a team but still has access. Run regular reviews to find and remove dead links. Log every access check for compliance. Because a clean graph is a safe graph.

ReBAC Checklist

Map all entity and link types before building. Use existing app data for your graph. Start with ownership, membership, and parent-child links. Layer RBAC or ABAC for context-aware checks. Use a fast graph database. Monitor graph size and query speed. Audit links quarterly. Log every access check for compliance.

Frequently Asked Questions About Relationship-Based Access Control

Frequently Asked Questions
What is relationship-based access control?
Relationship-based access control (ReBAC) is a model that grants access based on the links between users and resources — like owner, member, editor, or team mate. Essentially, if a valid link exists in the relationship graph, access is granted. If not, it’s denied. It’s the most natural model for apps where data is shared, nested, or user-owned.
How does ReBAC differ from RBAC?
RBAC grants access based on a user’s job role — the same way for everyone in that role. In contrast, ReBAC grants access based on the specific link between the user and the resource. So in RBAC, all managers see all data. In ReBAC, a manager only sees data they’re directly linked to. ReBAC is more precise but more complex to set up.
What is Google Zanzibar?
Zanzibar is Google’s global ReBAC system. It handles access control for YouTube, Drive, Cloud, Maps, and more. Google published a paper on it in 2019, which sparked wide adoption of ReBAC across the industry. Consequently, many open-source and commercial ReBAC tools are now built on the Zanzibar model.
What is a relationship graph?
A relationship graph is a data structure made of nodes (users, files, teams, projects) and edges (links like owner, member, viewer). When a user requests access, the system walks the graph to find a valid path. If one exists, access is granted. Graph databases like Neo4j or Amazon Neptune are often used to store and query these graphs fast.

More Common Questions

Can ReBAC work with RBAC or ABAC?
Yes — and this is common. ReBAC handles link-based access (like who owns or belongs to what). However, it can’t check context like time, device, or location. So firms layer ABAC or RBAC on top for those checks. This hybrid model gives you the best of all worlds — links, roles, and context.
Where is ReBAC commonly used?
ReBAC is used in SaaS platforms (multi-tenant access), collaborative tools (like Google Drive and GitHub), social networks (friend-based access), project management apps, content systems, and cloud platforms like AWS. It’s the model of choice for any app where data is shared, nested, or user-owned.
Is ReBAC the same as ABAC?
Not quite. ReBAC is seen as a subset of ABAC — because links are a type of attribute. However, in practice they work differently. ABAC checks many attributes (like time, role, device). In contrast, ReBAC checks the specific link between the user and the resource. So ReBAC is simpler for link-based needs, while ABAC is broader for context-aware rules.

Conclusion: When to Use Relationship-Based Access Control

In short, relationship-based access control is the best model for apps where access depends on how users and resources are linked. It mirrors how people actually work — through ownership, teams, and projects. And it updates on its own when those links change.

However, it needs a solid base. So map your entities and links well. Use your existing data. Start simple. And layer RBAC or ABAC on top for context-aware checks.

Start now. First, list your key entities and link types. Then build your graph on existing app data. Next, set up the three core links — owner, member, and parent-child. After that, add a graph database and test at scale. Finally, audit links every quarter. Because the apps that model access through real links are the apps that stay secure and easy to manage.

Next Step
Get Help Setting Up Relationship-Based Access Control

References

  1. Wikipedia — Relationship-Based Access Control — Wikipedia
  2. WorkOS — What Is Relationship-Based Access Control (ReBAC)?
  3. AWS — How to Implement ReBAC with Amazon Verified Permissions
Tags
Identity & Access Management Relationship-Based Access Control
Previous
Risk-Based Access Control
Next
Context-Aware Access Control
Related Terms
Privileged Access Management
PAM controls, monitors, and protects access to the most powerful accounts —…
COMPLIANCE & GOVERNANCE 22 min read
Authentication Factors
Authentication factors are the types of proof used to verify your identity…
IDENTITY & ACCESS MANAGEMENT 10 min read
Multi-Factor Authentication
MFA blocks over 99.9% of automated account attacks — yet 99.9% of…
CYBERSECURITY 9 min read
Stay Updated
Get the latest terms & insights.

Join 1 million+ technology professionals. Weekly digest of new terms, threat intelligence, and architecture decisions.