Scopes VS RBAC with respect to Access Control

Do you normally chose one or the other when implementing access control, or do Scopes and RBAC serve different purpose that you can use them at the same time? Again this is with respect to the API/resources when checking what the user can do. I can see that you can use scopes (ex. read-only) to put extra limit on the role (can read, write, and delete) assigned to a user, but I think that is an overkill.

Hi,
In essence, permissions determine what actions a user is allowed to perform on a specific resource. On the other hand, scopes are typically requested by applications to act as a proxy for the user. You could theoratically incorporate permissions into access token using Role-Based Access Control (RBAC).
I would highly suggest you also check out Auth0’s blog for Permissions, Privileges, and Scopes

Hello @jquerijero,

Welcome back to the Auth0 community!

What @Fario_Consulting explained above is right. Adding permissions to the Access Token is a good approach that doesn’t bring security issues.

Additional to the link shared above i suggest taking a look at the following resources regarding scopes and permissions:

I hope this was useful and if you have more questions don’t hesitate coming back to the community.

Thanks,
Tudor

I’m clear about the definitions. My question is actually about the common approach most industries utilize scopes and roles (permissions). Do you normally user both, or one or the other?