# OpenAPI extension: `x-rbac`

The `x-rbac` option allows you to control access to various OpenAPI objects based on the [teams](/docs/realm/reunite/organization/teams) in your organization.

## Location

Add `x-rbac` to any OpenAPI object, such as an `Operation`, `Parameter`, or `Schema`.
If the current user is not in a team with access, the object is not rendered in the documentation.
Objects restricted by `x-rbac` are excluded from the downloadable OpenAPI file, ensuring consistent access control across all representations of the API documentation.

Search considerations
When `x-rbac` is applied to a Parameter object or Schema object property, it removes the object from the search functionality.
This includes users who have access to this object.

## Options

| Option | Type | Description |
|  --- | --- | --- |
| x-rbac | Map[string, string] | Map of team names to [project roles](/docs/realm/access/roles#project-roles).
Team names come from the identity provider or teams associated with the Redocly login.
Additionally, there are automated team names `anonymous` (meaning all users who are not logged in), `authenticated` (meaning any user who is logged in).
Learn more about mapping group names that come from the identity provider through the [single-sign-on (SSO) configuration to either Redocly default teams or project RBAC teams](/docs/realm/reunite/organization/sso/add-idp#team-mapping).
In addition, the team name `*` represents the rest of the teams not defined in sibling properties including `anonymous` and `authenticated`.
Possible values of roles: `none`, `read`, `write`, `triage`, `maintain`, or `admin`. |


## Example

The following example shows how to enable access to the `GetMuseumHours` operation to only those users who are authenticated.


```yaml
---
paths:
  /museum-hours:
    get:
      summary: Get museum hours
      description: Get upcoming museum operating hours.
      operationId: getMuseumHours
      x-rbac:
        authenticated: read
      tags:
        - Operations
      # ...
---
```

## Resources

- **[Role-based access control concepts](/docs/realm/access/rbac)** - Learn about RBAC fundamentals and how it integrates with OpenAPI documentation
- **[RBAC configuration guide](/docs/realm/access)** - Complete implementation guide for adding role-based access control to your project
- **[Show extensions configuration](/docs/realm/config/openapi/show-extensions)** - Control which extensions are included in your API reference documentation for optimal presentation
- **[OpenAPI configuration settings](/docs/realm/config/openapi)** - Complete reference for all available OpenAPI configuration options and customization settings
- **[Supported OpenAPI extensions](/docs/realm/content/api-docs/openapi-extensions)** - Complete list of all OpenAPI extensions supported by Redocly for enhanced API documentation