Role Based Authorization

Node js 9 min min read Updated: Mar 30, 2026 Advanced
Progress 9 / 10
📑 Table of Contents
Basics
Express & APIs
Database & Authentication
Advanced & Scaling
DevOps & Deployment
🎓 Want Live Training?

Join our expert-led Node js Training live classes

Enroll Now
Role Based Authorization
Advanced Topic 9 of 10

Role Based Authorization (RBAC) in Node.js

Authentication and authorization are closely related, but they are not the same thing. Authentication checks who the user is, while authorization decides what that user is allowed to do.

Role Based Authorization, often called RBAC, is a common way to control access in backend applications. It works by assigning roles such as admin, editor, or user to people and then allowing or blocking access based on those roles.

Key Concept: RBAC controls access to routes, actions, and resources based on the role assigned to a user.

What is Role Based Authorization?

Role Based Authorization is a security model where permissions are attached to roles instead of directly assigning permissions to every individual user. A user gets access based on the role they hold in the system.

For example:

  • Admin: Can manage all users, settings, and resources
  • Editor: Can create and update content
  • User: Can view or use limited features

Why RBAC is Important

  • Improves security: Prevents unauthorized access
  • Easy to manage: Roles are simpler than handling user-by-user permissions
  • Scalable: Works well as the application grows
  • Clear structure: Makes access control easy to understand

Authentication vs Authorization

Concept Meaning
Authentication Verifies who the user is
Authorization Decides what the user can access

In most applications, authorization happens after authentication. First the user logs in, then the system checks their role before allowing access.

Example User Object with Role

A user record often contains a role field:

javascript const user = { id: 1, name: "Rahul", email: "rahul@example.com", role: "admin" };

This role can be stored in the database and included in the JWT payload after login.

Adding Role to JWT Token

After successful login, you can include the user role inside the token:

javascript const jwt = require("jsonwebtoken"); const token = jwt.sign( { userId: user.id, email: user.email, role: user.role }, "secretkey", { expiresIn: "1h" } );

Now the token contains the role information, which can be used later in middleware.

Basic Authorization Middleware

A role-based middleware can check whether the logged-in user has permission to access a route.

javascript function authorizeRoles(...allowedRoles) { return (req, res, next) => { if (!req.user || !allowedRoles.includes(req.user.role)) { return res.status(403).json({ message: "Access denied" }); } next(); }; }

In this example:

  • allowedRoles contains roles that can access the route
  • req.user.role is checked against those roles
  • If the role is not allowed, the server returns 403 Forbidden

Using RBAC Middleware in Routes

Once authentication and authorization middleware are ready, you can protect routes like this:

javascript app.get("/admin-dashboard", authMiddleware, authorizeRoles("admin"), (req, res) => { res.json({ message: "Welcome Admin" }); }); app.get("/editor-panel", authMiddleware, authorizeRoles("admin", "editor"), (req, res) => { res.json({ message: "Welcome Editor or Admin" }); });

Here:

  • Only admin can access /admin-dashboard
  • Both admin and editor can access /editor-panel

Authentication Middleware Before Authorization

Authorization checks should only happen after a user has already been authenticated.

javascript function authMiddleware(req, res, next) { const token = req.header("Authorization"); if (!token) { return res.status(401).json({ message: "No token provided" }); } try { const decoded = jwt.verify(token, "secretkey"); req.user = decoded; next(); } catch (error) { return res.status(401).json({ message: "Invalid token" }); } }

This middleware verifies the JWT and attaches the user data to req.user.

Common Roles in Real Projects

  • Admin: Full system access
  • Manager: Access to team or department-level operations
  • Editor: Can create and update content
  • User: Limited access to personal or public features
  • Guest: Access to public-only routes

Real-World Use Cases of RBAC

  • Admin dashboards
  • Content management systems
  • E-commerce platforms with admin and customer roles
  • HR systems with employee and manager roles
  • Learning platforms with student, teacher, and admin roles

RBAC in Database Design

In small applications, a single role field in the user collection is enough. In larger systems, roles and permissions may be stored in separate collections or tables.

javascript const userSchema = new mongoose.Schema({ name: String, email: String, password: String, role: { type: String, enum: ["admin", "editor", "user"], default: "user" } });

This ensures only valid roles are stored in the database.

Best Practices for Role Based Authorization

  • Always authenticate first, then authorize
  • Keep roles simple and meaningful
  • Use enums or validation for role values
  • Return proper status codes like 401 and 403
  • Do not trust role values sent directly by the client
  • Store roles securely in the database and token payload

Common Mistakes

  • Confusing authentication with authorization
  • Allowing client-side role checks without backend enforcement
  • Not validating role values in the database
  • Using overly complex role systems too early

RBAC vs Permission-Based Access Control

RBAC is simpler and works well for most applications. Permission-based systems are more detailed because they assign specific permissions like create_post or delete_user.

Many large systems start with RBAC and later move toward a hybrid model with roles plus permissions.

Conclusion

Role Based Authorization is an essential technique for controlling access in backend applications. It ensures that users can only perform actions allowed for their role, which improves both security and maintainability.

When combined with JWT authentication and proper middleware, RBAC becomes a powerful way to build secure, scalable, and production-ready systems in Node.js.

Quick Summary: RBAC controls access based on user roles such as admin, editor, or user, helping secure routes and application actions in a simple and scalable way.
Refresh Tokens OAuth Integration
📚 Related Topics
Authentication with JWT

Get Newsletter

Subscibe to our newsletter and we will notify you about the newest updates on Edugators

CONTACT

info.edugators@gmail.com

COMPANY

PROGRAMS

 

 

TRENDING COURSES

© 2020 - 2026 Edugators. All rights Reserved.