Role-Based Access Control (RBAC)

Control access to actions and data
in Backstage with ease.

Role-Based Access Control (RBAC) header image

About RBAC

The RBAC plugin is a no-code management UI for restricting access to plugins, routes, and data within Backstage. Admins can quickly define roles, assign users and groups, and configure permissions to encode authorization decisions according to your organization’s evolving security and compliance needs.

  • Simplify access management

    RBAC makes it easy for anyone, not just engineers, to efficiently manage access to resources and actions in Backstage. With its no-code interface, administrators can easily set up roles with members and permissions – including complex conditional permissions or those exported from private plugins.

  • Remain compliant and secure

    The simpler it is to manage role-based access control, the better protected your data will be. RBAC allows administrators to quickly, flexibly, and easily create, publish, edit, or revert permission policies to stay up-to-date and compliant with your organization’s security needs.

RBAC features


The RBAC homepage displays current and previously published policies, and the table below lists previous policy versions, which you can either view or republish.

rbac homepage feature image


Roles make permission decisions in the RBAC plugin. Each role includes a list of members and affiliated permissions. RBAC integrates with Backstage’s catalog of users and groups to assign role membership.

rbac roles feature image


Permissions can be matched to the role by specific permission name, permission properties, or globally. Permissions return policy decisions – either allow, deny or conditional.

rbac permissions feature image

Conditional decisions

The RBAC plugin has a condition builder that helps you compose rules corresponding to the permission.

rbac conditional decisions


After you’re done creating a policy, you can publish it. Backstage immediately uses the new policy to make authorization decisions.

rbac permissions

Frequently Asked Questions 🤔

Where can I find installation instructions and technical documentation for RBAC?
All of the installation instructions for the Spotify Plugins for Backstage are public via npm packages. You can find the documentation specifically for RBAC in this npm package. 
How is this different from the open source permissions framework?
The biggest difference between the RBAC offering within the Spotify Plugins for Backstage subscription and the open source permissions framework is that the RBAC plugin is a no-code interface that easily allows anyone within your organization to configure permission policies. This plugin offers a guided policy authoring experience, so that you don't need to dig through code and docs to implement your policy. RBAC provides real-time validation as you build your policy, structured mapping between organization and roles, and a view of all the changes made.
How do I integrate RBAC with my other plugins?
RBAC utilizes Backstage’s open source permission framework to allow or restrict access. In order to integrate RBAC with other plugins, plugins should instead integrate with the permission framework. More information on how to configure the permission framework for a plugin can be found here.

Take Backstage to the next level