Relationship-Based Access Control
ReBAC.
An authorization model where permissions are computed by traversing a graph of relationships between subjects and resources, popularized by Google's Zanzibar paper.
ReBAC fits well when the application has resources users hold permissions on (projects, documents, repos, channels, files), permissions inherit through containment hierarchy, sharing is a first-class operation, or the system needs reverse queries ("which resources does Alice have access to"). Most mature B2B SaaS in 2026 runs RBAC for coarse-grained policy plus ReBAC for resource-level permissions, the hybrid is the de-facto pattern.
Common questions
What's the difference between ReBAC and RBAC?
Is OpenFGA the same as ReBAC?
When should I use ReBAC over RBAC?