
How do I set up role-based access control (RBAC) and least privilege for a municipality?
Mike Fraanje
4 min read
What exactly do RBAC and least privilege mean?
Role-based access, or role-based access control (RBAC), means that you grant permissions to roles and link people to roles, rather than giving each individual separate permissions. A practitioner, a policy officer and a team leader each have their own profile with the access associated with that role. Least privilege is the accompanying principle: someone is granted no more access than is strictly necessary for their work.
Together, these principles ensure that access becomes explainable. For every employee, you can show why they have certain permissions, namely because the role requires it. This is exactly what the Baseline Information Security Government (BIO) requires.
How do you translate positions into roles at a municipality?
The practical starting point is a role overview that matches the positions as they appear in the HR-system. Map out which applications and data are needed per position and record this in an authorisation profile. Keep the number of roles manageable by looking at what positions have in common, and add department or organisational unit where this determines access. Avoid exceptions at an individual level, as these undermine the overview and are difficult to account for.
A municipality often has a large application landscape, from case management systems to office automation. By managing roles centrally rather than separately per department, you prevent fragmentation that leaves no one with a total overview.
How do you keep management central and provable?
RBAC only works if the assignment and revocation of roles is handled reliably. It is therefore wise to make the HR-system the source of truth and have an orchestration layer automatically apply the roles in the work environment. Joinly works as such a layer on top of Microsoft Entra ID or Google Workspace: upon entry, the employee receives the role associated with the position, a change of position automatically leads to the correct adjustment, and upon departure, the roles are revoked. Every change is logged.
This makes least privilege a continuous process rather than a one-off setup, and allows you to periodically demonstrate that actual access still matches the intended access. This applies to employees; citizen identities fall outside this setup.
FAQ
How many roles do I need? As many as necessary to meaningfully distinguish positions, but as few as possible to keep it manageable. Start with the largest position groups and refine where practice demands it.
What do I do with exceptions? Record exceptions as temporary, traceable assignments with an end date, rather than as permanent individual permissions. This keeps the overview intact.
Does RBAC align with the BIO? Yes. The Baseline Information Security Government (BIO) is based on role-based access and least privilege; RBAC is the direct implementation of this.



