What is RBAC (Role-Based Access Control)?

An authorization model where users are assigned roles, and roles are granted permissions.

Full explanation

RBAC simplifies authz: you grant permissions to roles (Admin, Member, Viewer), not to users directly. When a user changes responsibilities, you change their role, not audit each permission. Contrast with ABAC (Attribute-Based Access Control), which grants permissions based on dynamic attributes of the user, resource, and environment.

Example

A SaaS app has Admin (full), Member (edit content), Viewer (read-only) roles. A new teammate is added as Viewer; promotion to Member is a one-line change.

Related

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps
Guide
OAuth + OIDC security — the PKCE and state checks you cannot skip

FAQ

RBAC vs ABAC?

RBAC is simpler. ABAC is more expressive. Modern systems often start RBAC and layer ABAC attributes for special cases (time-of-day access, location-based).