diff --git a/docs/architecture/decisions/0019-role-based-access-control.md b/docs/architecture/decisions/0019-role-based-access-control.md
new file mode 100644
index 000000000..d5bc5ddb3
--- /dev/null
+++ b/docs/architecture/decisions/0019-role-based-access-control.md
@@ -0,0 +1,29 @@
+# 19. Role-based Access Control
+
+Date: 2023-03-17
+
+## Status
+
+Approved
+
+## Context
+
+In the registrar application, a single user might be associated with many
+domains, and they might have different levels of access to view or change
+those domains.
+
+## Decision
+
+To use a role-based access control system where we have a model of different
+roles and an association that links a user to a specific role with a specified
+role. Each role would have some associated permissions in the application and
+we can enforce those permissions by using decorators on our Django views.
+
+## Consequences
+
+There is no enterprise model here of users belonging to an “organization” with
+a role on all of its associated domain names. Instead, the association is
+per-domain and a user would have to be granted the role on each domain
+individually. There is also no process designed yet for how and whether users
+can grant other users roles on a domain.
+