RBAC assigns permissions to roles, and users are assigned to roles — enabling consistent permission management at scale. Adding a user to a role grants all associated permissions.
RBAC is the most practical access control model for enterprise. Well-designed roles reflect job functions. Principle: users should hold minimum necessary roles. Role explosion (hundreds of tiny roles) defeats the purpose — balance granularity with manageability. Active Directory groups implement RBAC in Windows environments.