doc/user/content/security/self-managed/access-control/_index.md
{{< note >}}
Initially, only the mz_system user (which has superuser/administrator
privileges) is available to manage roles.
{{</ note >}}
<a name="role-based-access-control-rbac" ></a>
In Materialize, role-based access control (RBAC) governs access to objects through privileges granted to database roles.
{{% include-headless "/headless/rbac-sm/enable-rbac" %}}
{{% include-headless "/headless/rbac-sm/db-roles" %}}
{{% include-headless "/headless/rbac-sm/create-users" %}}
{{% include-headless "/headless/rbac-sm/create-functional-roles" %}}
{{% include-headless "/headless/rbac-sm/db-roles-managing-privileges" %}}
{{< annotation type="Disambiguation" >}} {{% include-headless "/headless/rbac-sm/grant-vs-alter-default-privilege" %}} {{</ annotation >}}
{{% include-headless "/headless/rbac-sm/db-roles-initial-privileges" %}}
You can modify the privileges of your organization's PUBLIC role as well as
the modify default privileges for PUBLIC.
In Materialize, when you grant a role to another role (user role/service account role/independent role), the target role inherits privileges through the granted role.
In general, to grant a user or service account privileges, create roles with the desired privileges and grant these roles to the user or service account role. Although you can grant privileges directly to the user or service account role, using separate, reusable roles is recommended for better access management.
With privilege inheritance, you can compose more complex roles by combining existing roles, enabling modular access control. However:
{{% yaml-sections data="rbac/recommendations-sm" heading-field="recommendation" heading-level=3 %}}