# Configure Role-Based Access Control

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Configure Role-Based Access Control
latest-redpanda-tag: v25.1.1
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "true"
page-eol-date: April 7, 2026
latest-connect-version: 4.93.0
docname: security/authorization/rbac
page-component-name: streaming
page-version: "25.1"
page-component-version: "25.1"
page-component-title: Streaming
page-relative-src-path: security/authorization/rbac.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.1/modules/manage/pages/security/authorization/rbac.adoc
description: Role-based access controls are an extension to access control lists for managing permissions at scale.
page-git-created-date: "2024-04-30"
page-git-modified-date: "2025-02-26"
support-status: past end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/25.1/manage/security/authorization/rbac.md -->

> 📝 **NOTE**
>
> This feature requires an [enterprise license](https://docs.redpanda.com/streaming/25.1/get-started/licensing/overview/). To get a trial license key or extend your trial period, [generate a new trial license key](https://redpanda.com/try-enterprise). To purchase a license, contact [Redpanda Sales](https://redpanda.com/upgrade).
>
> If Redpanda has enterprise features enabled and it cannot find a valid license, [restrictions](https://docs.redpanda.com/streaming/25.1/get-started/licensing/overview/#self-managed) apply.

Role-based access control (RBAC) provides a way to configure permissions for provisioned users at scale, and provides a streamlined interface to manage user access to many resources. RBAC works in conjunction with all supported authentication methods.

## [](#rbac-overview)RBAC overview

RBAC is designed to address the critical challenge of access management at scale. It alleviates the process of manually maintaining and verifying a set of raw permissions (access control lists, or ACLs) for a user base that could contain thousands of users. RBAC provides a method to onboard new employees easier, audit accesses faster, and adapt more readily to evolutions of usage and compliance needs.

Using RBAC, you can define roles to reflect organizational structure or job duties. This approach decouples users and permissions through the assignment of roles. RBAC allows a one-to-many mapping of a given role to many users, dramatically reducing the number of custom policies needed for a resource from one per user, to one per group of users.

### [](#rbac-terminology)RBAC terminology

Under the RBAC framework, you create **roles**, grant **permissions** to those roles, and assign the roles to **users**. When you change the permissions for a given role, all users with that role automatically gain the modified permissions. You grant or deny permissions for a role by creating an ACL and specifying the RBAC role as either allowed or denied respectively.

Redpanda treats all **users** as security principals and defines them with the `Type:Name` syntax (for example, `User:mike`). You can omit the `Type` when defining a principal and Redpanda will assume the `User:` type. All examples here use the full syntax for clarity.

See [access control lists](https://docs.redpanda.com/streaming/25.1/manage/security/authorization/acl/) for more information on defining ACLs and working with principals.

#### [](#roles)Roles

A role is a named collection of ACLs which may have users (security principals) assigned to it. You can assign any number of roles to a given user. When installing a new Redpanda cluster, no roles are provisioned by default.

If you want to use RBAC, you must create your first roles using your `superuser` account, which enables you to create additional roles and assign appropriate ACLs as necessary. See [configure authentication](https://docs.redpanda.com/streaming/25.1/manage/security/authentication/#create_superusers) for more information on creating and managing superusers.

When performing an upgrade from older versions of Redpanda, all existing SASL/SCRAM users are assigned to the placeholder `Users` role to help you more readily migrate away from pure ACLs. As a security measure, this default role has no assigned ACLs.

#### [](#policy-conflicts)Policy conflicts

You can assign a combination of ACLs and roles to any given principal. ACLs allow permissions, deny permissions, or specify a combination of both. As a result, users may at times have role assignments with conflicting policies. If this situation arises, the user is permitted to perform an operation if and only if:

-   There does not exist a DENY permission matching the operation.

-   There exists an ALLOW permission matching the operation.


### [](#rbac-example)RBAC example

Consider a scenario where your software engineers use a set of private topics to publish application update information to users. All your private topics begin with the prefix `private-`. You might create a new `SoftwareEng` role to represent the software engineers with write access to these private topics. You would then assign the `SoftwareEng` role as the allowed role for a new ACL specifying read and write permissions to `private-*`. Using a wildcard includes all existing private topics and any new ones you might create later. You then assign the new role to John and Jane, your two software engineers who will write messages to this topic. The `rpk` commands to accomplish this are:

```bash
rpk security role create SoftwareEng &&
rpk security acl create --operation read --operation write --topic private-* --allow-role SoftwareEng &&
rpk security role assign SoftwareEng --principal User:john,User:jane
```

This diagram shows the relationships between users, roles, and ACLs:

![RBAC role assignments](https://docs.redpanda.com/streaming/25.1/shared/_images/rbac-roles.png)

Consider the situation where you want to create a new topic, `private-software-versions`, where users self-report the version of a component they are using. If you were using the ACL authorization mechanism, you would need to assign this ACL to every user in your Redpanda installation. Using RBAC allows you to make one update and apply it to everyone with that role. Adding the write permissions for this topic to the `User` role means everyone with that role (all authenticated users in the diagram) gains the authorization immediately. For example:

```bash
rpk security acl create --operation write --topic private-software-versions --allow-role User
```

## [](#manage-users-and-roles)Manage users and roles

Administrators can manage RBAC configurations with `rpk`, the Redpanda Admin API, or Redpanda Console.

### [](#create-a-role)Create a role

Creating a new role is a two-step process. First you define the role, giving it a unique and descriptive name. Second, you assign one or more ACLs to allow or deny access for the new role. This defines the permissions that are inherited by all users assigned to the role. It is possible to have an empty role with no ACLs assigned.

#### rpk

To create a new role, run:

```bash
rpk security role create <role_name>
```

After the role is created, administrators create new ACLs and assign this role either allow or deny permissions. For example:

```bash
rpk security acl create ... --allow-role <role_name>
```

Example of creating a new role named `red`:

```bash
rpk security role create red
```

```bash
Successfully created role "red"
```

#### Redpanda Console

To create a new role:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.

3.  Click **Create role**.

4.  In the `Create role` view, provide a name for the role and an optional origin host for users to connect from.

5.  Define the permissions (access control lists, ACLs) for the role. You can create ACLs for topics, consumer groups, and transactional IDs.

6.  _(Optional)_ You can assign one or more principals (users) to the role when creating it.

7.  Click **Create**.

### [](#delete-a-role)Delete a role

When a role is deleted, Redpanda carries out the following actions automatically:

-   All role ACLs are deleted.

-   All users' assignments to the role are removed.


Redpanda lists all impacted ACLs and role assignments when running this command. You receive a prompt to confirm the deletion action. The delete operation is irreversible.

#### rpk

To delete a role, run:

```bash
rpk security role delete <role-name>
```

Example of deleting a role named `red`:

```bash
rpk security role delete red
```

```bash
PERMISSIONS
===========
PRINCIPAL         HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
RedpandaRole:red  *     TOPIC          books          LITERAL                ALL        ALLOW
RedpandaRole:red  *     TOPIC          videos         LITERAL                ALL        ALLOW

PRINCIPALS (1)
==============
NAME   TYPE
panda  User
? Confirm deletion of role "red"?  This action will remove all associated ACLs and unassign role members Yes
Successfully deleted role "red"
```

#### Redpanda Console

To delete an existing role:

1.  Select `Security` from the left navigation menu.

2.  Click the role you want to delete. This shows all currently assigned permissions (ACLs) and principals (users).

3.  Click **Delete**.

4.  Redpanda Console displays a prompt asking you to confirm deletion of the role. The prompt differs based on whether there are principals assigned to the role or not. If there are principals assigned to the role, you must type the role name in the input field when prompted before you can continue.

5.  Click **Delete**.

### [](#assign-a-role)Assign a role

You can assign a role to any security principal. Principals are referred to using the format: `Type:Name`. Redpanda currently supports only the `User` type. If you omit the type, Redpanda assumes the `User` type by default. With this command, you can assign the role to multiple principals at the same time by using a comma separator between each principal.

#### rpk

To assign a role to a principal, run:

```bash
rpk security role assign <role-name> --principal <principals>
```

Example of assigning a role named `red`:

```bash
rpk security role assign red --principal bear,panda
```

```bash
Successfully assigned role "red" to
NAME   PRINCIPAL-TYPE
bear   User
panda  User
```

#### Redpanda Console

There are two ways to add a role to a principal:

Option 1, using the `Edit Role` view:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.

3.  Find the role you want to assign to one or more principals and then click on the role name.

4.  Click **Edit**.

5.  Below the list of permissions, find the `Principals` section. You can add any number of principals to the role at a time.

6.  After you have listed all new principals, click **Update**.


Option 2, using the `Edit User` view:

1.  Select `Security` from the left navigation menu.

2.  Select the `Users` tab.

3.  Find the user you want to assign one or more roles to then click the user’s name.

4.  Using the `Assign Roles` input field, list the roles you want to add to this user.

5.  After you have added all roles, click **Update**.

### [](#unassign-a-role)Unassign a role

You can remove a role assignment from a security principal without deleting the role. Principals are referred to using the format: `Type:Name`. Redpanda currently supports only the `User` type. If you omit the type, Redpanda assumes the `User` type by default. With this command, you can remove the role from multiple principals at the same time by using a comma separator between each principal.

#### rpk

To remove a role assignment from a principal, run:

```bash
rpk security role unassign <role_name> --principal <principals>
```

Example of unassigning a role named `red`:

```bash
rpk security role unassign red --principal panda
```

```bash
Successfully unassigned role "red" from
NAME   PRINCIPAL-TYPE
panda  User
```

#### Redpanda Console

There are two ways to remove a role from a principal:

Option 1, using the `Edit Role` view:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.

3.  Find the role you want to remove from one or more principals and then click on the role name.

4.  Click **Edit**.

5.  Below the list of permissions, find the `Principals` section. Click **x** beside the name of any principals you want to remove from the role.

6.  After you have removed all needed principals, click **Update**.


Option 2, using the `Edit User` view:

1.  Select `Security` from the left navigation menu.

2.  Select the `Users` tab.

3.  Find the user you want to remove from one or more roles and then click the user’s name.

4.  Click **x** beside the name of any roles you want to remove this user from.

5.  After you have removed the user from all roles, click **Update**.

### [](#edit-role-permissions)Edit role permissions

You can add or remove ACLs from any of the roles you have previously created.

#### rpk

To modify an existing role by adding additional ACLs to it, run:

```bash
rpk security acl create ... --allow-role <role_name>
```

```bash
rpk security acl create ... --deny-role <role_name>
```

To use `rpk` to remove ACLs from a role, run:

```bash
rpk security acl delete ... --allow-role <role_name>
rpk security acl delete ... --deny-role <role_name>
```

When you run `rpk security acl delete`, Redpanda deletes all ACLs matching the parameters supplied. Make sure to match the exact ACL you want to delete. If you supply only the `--allow-role` flag, for example, Redpanda will delete every ACL granting that role authorization to a resource.

To list all the ACLs associated with a role, run:

```bash
rpk security acl list --allow-role <role_name> --deny-role <role_name>
```

See also:

-   [Access Control Lists](https://docs.redpanda.com/streaming/25.1/manage/security/authorization/acl/) for more information on defining and using ACLs.

-   [rpk security acl create](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security-acl-create/)

-   [rpk security acl delete](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security-acl-delete/)

-   [rpk security acl list](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security-acl-list/)

#### Redpanda Console

To edit the ACLs for an existing role:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.

3.  Find the role you want to assign to one or more principals and then click on the role name.

4.  Click **Edit**.

5.  In the `Edit Role` view, you can update the optional origin host for users to connect from.

6.  You can add or remove existing (ACLs) for the role. As when creating a new role, you can create or modify ACLs for topics, consumer groups, and transactional IDs.

7.  After making all changes, click **Update**.

### [](#list-all-roles)List all roles

Redpanda lets you view a list of all existing roles.

#### rpk

To view a list of all actives roles, run:

```bash
rpk security role list
```

Example of listing all roles:

```bash
rpk security role list
```

```bash
NAME
red
```

#### Redpanda Console

To view all existing roles:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.


All roles are listed in a paginated view. You can also filter the view using the input field at the top of the list.

### [](#describe-a-role)Describe a role

When managing roles, you may need to review the ACLs the role grants or the list of principals assigned to the role.

#### rpk

To view the details of a given role, run:

```bash
rpk security role describe <role_name>
```

Example of describing a role named `red`:

```bash
rpk security role describe red
```

```bash
PERMISSIONS
===========
PRINCIPAL         HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
RedpandaRole:red  *     TOPIC          books          LITERAL                ALL        ALLOW
RedpandaRole:red  *     TOPIC          videos         LITERAL                ALL        ALLOW

PRINCIPALS (1)
==============
NAME  TYPE
panda User
```

#### Redpanda Console

To view details of an existing role:

1.  Select `Security` from the left navigation menu.

2.  Select the `Roles` tab.

3.  Find the role you want to view and click the role name.


All roles are listed in a paginated view. You can also filter the view using the input field at the top of the list.

## [](#suggested-reading)Suggested reading

-   [`rpk security`](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security/)

-   [`rpk security acl`](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security-acl/)

-   [`rpk security acl create`](https://docs.redpanda.com/streaming/25.1/reference/rpk/rpk-security/rpk-security-acl-create/)


## Suggested labs

-   [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/)
-   [Migrate Data with Redpanda Migrator](https://docs.redpanda.com/labs/docker-compose/redpanda-migrator/)

[Search all labs](https://docs.redpanda.com/labs)