Behind the scenes, role-based authorization uses a pre-configured authorization policy, which contains conditions that allow code to evaluate whether a user should be permitted to access a protected API. The authorization policy determines:
  • how to define and organize the users or roles that are affected by the policy
  • what logic and conditions apply to the policy and whether their outcome permits or denies access
When using Auth0’s core authorization and role-based access control (RBAC), the policy includes evaluating the roles and permissions assigned to users. To use these features, you must enable role-based access control for APIs. You can further customize the authorization policy by using rules. To learn more, read Rules for Authorization Policies.