Disclaimer: I work in infosec and just spent a couple of years neck-deep in identity and access management, so this is very likely be a nit-pick. RBAC is of course role-based access control, and it’s the roles that get the permissions, not the users. When Nigel says "which users can perform what actions on which resources" I cringe a bit, because it’s not quite correct. RBAC determines what actions a user can perform not by looking at the user’s permissions, but looking at the user’s roles, and the permissions those roles have. It would be more correct to say "which users can perform what actions on which resources, based on the roles assigned to the user."