
---

# 🛡️ Scopes, RBAC & Permissions

> **Intent** → Control *who* can access *what* by attaching roles/scopes to tokens and checking them per route.

---

## 🎯 Scopes

* Represent **fine-grained capabilities** (e.g., `read:users`, `write:orders`)
* Declared in JWT claims → validated at request time
* Routes define **required scopes** → enforce automatically

---

## 🧩 RBAC (Role-Based Access Control)

* Users belong to **roles** (admin, editor, viewer)
* Roles map to **sets of scopes**
* Easier to manage at scale than assigning scopes one by one

---

## 🔐 Permissions

* **Scopes = technical abilities**
* **Permissions = business rules** (who *should* have them)
* Example:

  * Scope → `delete:project`
  * Permission → only project owner or admin role can use it

---

## ⚖️ Best Practices

* Grant **least privilege** → minimal scopes per role
* Keep **role-to-scope mapping** centralized (policy module/service)
* Audit regularly: remove unused roles/scopes
* Support **hierarchies** (admin includes editor, etc.) if org needs it

---

## 🧪 Testing Access

* Unit tests with **fake users** carrying different scopes/roles
* Contract tests to verify **403s are enforced** consistently
* Simulate escalation attempts to catch leaks

---

## 🏁 Outcome

Your API enforces **least privilege**, ensures **clear separation of roles vs capabilities**, and keeps authorization **predictable, auditable, and testable**.

---
