Could Enabling RBAC Break Live Functionality?

If I’m actively using auth0 to manage auth to a live site, could enabling RBAC somehow break the live site? And what does flipping the switch actually do, technically speaking?

If you care to expand I’d love more details on what the description for the enable rbac toggle means:

If this setting is enabled, RBAC authorization policies will be enforced for this API. Role and permission assignments will be evaluated during the login transaction.

For context I want to enable RBAC so I have access to roles in my rules: Sample Use Cases: Rules with Authorization

Hi @lucas5,

Welcome to the Community!

Enabling RBAC will add functionality such as add API permissions to users who are assigned roles. If your site already has its own permission model, then there may be some complications, but overall, it is unlikely to break the live site. (It’d be best to test with a test API in a test env for your app to be safe)

With RBAC enabled, when I log in as a user with a basic role, the Access Token issued to my app will have the read:basic permission:

  "iss": "",
  "sub": "google-oauth2|115088824167938831773",
  "aud": [
  "iat": 1620387612,
  "exp": 1620387632,
  "azp": "iTAbnWQtk4voRjZyOp0ZHYL24s101ppB",
  "scope": "openid profile email offline_access",
  "permissions": [

Note: it is optional to include the permissions claim in the Access Token.

You can read more about Auth0’s RBAC features here:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.