---
title: Role-based access control (RBAC)
description: 'How InfluxDB 3 Enterprise role-based access control (RBAC) works: built-in roles, the permissions model, and current limitations. RBAC is part of the user authentication preview.'
url: https://docs.influxdata.com/influxdb3/enterprise/reference/internals/rbac/
estimated_tokens: 365
product: InfluxDB 3 Enterprise
version: enterprise
publisher: InfluxData
canonical: https://docs.influxdata.com/influxdb3/enterprise/reference/internals/rbac/
date: '2026-06-16T22:28:58-04:00'
lastmod: '2026-06-16T22:28:58-04:00'
---

#### RBAC is part of the user authentication preview

Role-based access control applies to the multi-user authentication preview,
which is **off by default** in InfluxDB 3 Enterprise. Existing `apiv3_`token workflows are unaffected. See[Manage users and authentication](/influxdb3/enterprise/admin/security/manage-users/)to enable the preview.

Role-based access control (RBAC) governs what authenticated users can do in
InfluxDB 3 Enterprise. Each user is assigned one or more built-in roles that
determine their permissions.

## Built-in roles

InfluxDB 3 Enterprise provides three built-in roles:

* **Admin**: Full administrative access, including user and role management.
* **Auditor**: Read access intended for reviewing and auditing the system.
* **Member**: Standard access for working with data.

## Assign roles

Assign roles to a user with the `influxdb3 update user-roles` command. See[Manage users and authentication](/influxdb3/enterprise/admin/security/manage-users/)for the user-management workflow.

## Limitations

RBAC has the following known limitations in InfluxDB 3 Enterprise:

* **Token scope can exceed role scope**: A non-admin user can currently create tokens with broader permissions than their assigned role.

#### Related

* [Manage users and authentication](/influxdb3/enterprise/admin/security/manage-users/)
* [InfluxDB 3 Enterprise authentication and authorization](/influxdb3/enterprise/reference/internals/authentication/)