Behind the scenes, role-based authorization uses a pre-configured authorization policy, which contains conditions that allow code to evaluate whether a user should be permitted to access a protected API.
The authorization policy determines:
how to define and organize the users or roles that are affected by the policy
what logic and conditions apply to the policy and whether their outcome permits or denies access
When using Auth0's core authorization and role-based access control (RBAC), the policy includes evaluating the roles and permissions assigned to users. To use these features, you must enable role-based access control for APIs.