RBAC (Role-Based Access Control)
RBAC grants capabilities by role rather than individual: support reads player data but not commission rules; finance approves payouts but not deal terms; analysts query aggregates but not PII.
Why auditors ask about it first
Internal fraud and data-leak scenarios both begin with over-permissioned accounts; RBAC plus review cadence (quarterly access recertification — the joiners-movers-leavers gap is the classic finding) contains them. Gambling-specific surfaces: bonus-issuance rights (unlimited manual bonuses tempt collusion), adjustment rights (rev adjustments need makers and checkers), and multi-brand separation (agency staff on brand A must not browse brand B’s partners). Access logs feed the audit trail this glossary keeps returning to — for the good reason that everything eventually does.