> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based access control overview

> Understand RBAC concepts and set up your policy in the Stytch Dashboard.

export const rbac = "Role-Based Access Control: An authorization model that manages access to resources within your application based on user roles.";

Stytch's <Tooltip tip={rbac}>RBAC</Tooltip> model streamlines the management and enforcement of permissions for Consumer Authentication.

<Columns cols={3}>
  <Card title="RBAC Dashboard" icon="shield-check" href="https://stytch.com/dashboard/rbac">
    Configure your policy in the Stytch Dashboard.
  </Card>

  <Card title="Frontend SDKs" icon="compass" href="/api-reference/consumer/frontend-sdks/react/methods/rbac/is-authorized">
    Gate UI with RBAC checks from the client.
  </Card>

  <Card title="Backend checks" icon="code" href="/api-reference/consumer/api/sessions/authenticate-session">
    Authorize requests on your backend with sessions.authenticate.
  </Card>
</Columns>

## The RBAC Policy

An RBAC policy is a governing document that stores all access controls. It is the canonical source for RBAC authorizations within a Stytch Project, made up of three core concepts:

* **Resources**: entities within your application
  * Examples: `documents`, `images`, `invoices`
* **Actions**: valid operations on a resource
  * Examples: `create`, `read`, `update`, `delete`
* **Roles**: named collections of permissions
  * Examples: `admin`, `editor`, `viewer`

### Resources

A Resource represents an entity in your application and is identified by a unique `resource_id` string you define.

### Actions

Actions are the allowed operations on a Resource. Actions can be standard CRUD operations or application-specific actions like `share`, `invite`, or `export`.

### Roles and permissions

A permission is a combination of a Resource and an Action (for example, `read` on `documents`). Roles are named sets of permissions. A Role can also include the wildcard action `*` to grant all actions for a Resource.

```js theme={null}
{
  "role_id": "reader",
  "permissions": [
    {
      "actions": ["read"],
      "resource_id": "documents"
    }
  ],
  "description": "Readers can view documents."
}
```

## Set up your policy in the Dashboard

<Steps>
  <Step title="Create custom resources and actions">
    In the [RBAC Dashboard](https://stytch.com/dashboard/rbac), select **Resources** and **Create New Resource**. Define a `resource_id` and the list of actions allowed for that Resource.

    <img src="https://mintcdn.com/stytch-34ca0595/ujkFjtNfcCtlcK2E/images/consumer/from-old-docs/rbac-setup-create-resource.png?fit=max&auto=format&n=ujkFjtNfcCtlcK2E&q=85&s=5c7f2a2910adafc0b41a9d74d5d53957" alt="RBAC Resources in Stytch Dashboard" width="3000" height="1500" data-path="images/consumer/from-old-docs/rbac-setup-create-resource.png" />

    For example, a `documents` Resource might support `create`, `update`, `delete`, and `download`.

    <img src="https://mintcdn.com/stytch-34ca0595/ujkFjtNfcCtlcK2E/images/consumer/from-old-docs/rbac-setup-new-resource.png?fit=max&auto=format&n=ujkFjtNfcCtlcK2E&q=85&s=9f3f00560bbe5e9931fe05bd7e67e282" alt="RBAC Resources in Stytch Dashboard" width="3000" height="1812" data-path="images/consumer/from-old-docs/rbac-setup-new-resource.png" />
  </Step>

  <Step title="Assign permissions to roles">
    Navigate to **Roles**. You’ll see a default Role:

    * **`stytch_user`**: automatically assigned to all Users and grants basic permissions like updating their own name.

    You can edit this Role or create custom Roles. When you add permissions to a Role, select a Resource and choose which actions it grants.

    <img src="https://mintcdn.com/stytch-34ca0595/ujkFjtNfcCtlcK2E/images/consumer/from-old-docs/rbac-setup-assign-permissions.png?fit=max&auto=format&n=ujkFjtNfcCtlcK2E&q=85&s=f2eb29cab594bbc825aae5a2f073fa4b" alt="RBAC Grant Subset of Permissions" width="3000" height="1500" data-path="images/consumer/from-old-docs/rbac-setup-assign-permissions.png" />

    To grant all actions for a Resource, use the wildcard action `*`.

    <img src="https://mintcdn.com/stytch-34ca0595/ujkFjtNfcCtlcK2E/images/consumer/from-old-docs/rbac-setup-wildcard-permissions.png?fit=max&auto=format&n=ujkFjtNfcCtlcK2E&q=85&s=20ad21f9f7a10eaa81d4fa0177b04231" alt="RBAC Wildcard Actions Grant" width="3000" height="1500" data-path="images/consumer/from-old-docs/rbac-setup-wildcard-permissions.png" />
  </Step>

  <Step title="Implement backend RBAC checks">
    Add server-side authorization checks before honoring requests. See the [backend enforcement guide](/consumer-auth/authorization/enforcing-permissions).
  </Step>

  <Step title="Add frontend RBAC handling">
    Use the frontend SDKs to gate UI. See the [frontend authorization section](/consumer-auth/authorization/enforcing-permissions).
  </Step>
</Steps>

## What's next

* [Assign roles to users](/consumer-auth/authorization/assigning-roles-to-users)
* [Enforce permissions](/consumer-auth/authorization/enforcing-permissions)