Behind the scenes, role-based authorization uses a pre-configured authorization policy, which contains conditions that allow code to evaluate whether a user should be permitted to access a protected API.
The authorization policy determines:
- how to define and organize the users or roles that are affected by the policy
- what logic and conditions apply to the policy and whether their outcome permits or denies access
When using Auth0's core authorization and role-based access control (RBAC), the policy includes evaluating the roles and permissions assigned to users. To use these features, you must enable role-based access control for APIs.