Just as it is with on-prem environments, a coherent access management solution is critical to protecting Azure resources. Role-Based Access Control or RBAC offers the ability to manage which users have access to which resources. It also allows you to control what users can do with the resources that they have access to as well as what areas in Azure that they have access to. 

RBAC is Azure's built-in authorization system and it provides fine-grained access management of Azure resources. So what exactly can you do with RBAC? Well, for one, you can allow certain users to manage only virtual machines within a subscription while allowing other users to manage only virtual networks. Another case would be a scenario where you allow your DBAs to manage SQL databases in your Azure subscription but nothing else. In a broader use case scenario, you might want to allow a certain group of users to manage all resources contained within a specific resource group. Another example would be a scenario where you need to allow a specific application to access the resources within a specific resource group. So as you can see, there are quite a few things that are made possible through the use of RBAC. 

By separating duties via RBAC, you can grant only the specific access that users need to perform their jobs. Gone are the days where you need to grant a person unrestricted permissions when all that person needs is a subset of those permissions. As part of any good access control strategy, you should always grant users the least privileges they need to get their work done. RBAC controls access to resources through the enforcement of role assignments. These role assignments are how permissions are enforced. 

It's important to note that each role assignment consists of three elements. These elements include a security principal, a role definition and a scope. In the next lesson, we'll talk about these elements a little more in detail.