Role-based access control (RBAC) is the authorization backbone of every multi-user SaaS application. Done right, it lets you enforce security policies, enable self-service team management, and gate features by license tier — all without custom code for each customer. Done wrong, it becomes a maintenance nightmare that blocks every feature release. This guide covers the architecture, implementation patterns, and integration with license management that production SaaS applications need.
Why RBAC for SaaS?
SaaS applications have authorization requirements that traditional RBAC doesn't fully address:
- Multi-tenancy — A user might be an admin in Organization A but a viewer in Organization B
- License-gated features — Permissions depend not only on role but also on which plan the organization has purchased
- Self-service management — Org admins must manage their own users and roles without contacting your support team
- API + UI enforcement — The same permissions must be enforced in both the web interface and the API
- Audit requirements — Enterprise customers need detailed logs of who did what and when
RBAC Architecture for SaaS
The Three Layers
| Layer | Controls | Example |
|---|---|---|
| 1. Authentication | Who is this user? | JWT token, session cookie |
| 2. Authorization (RBAC) | What can this user do? | Role = "editor" can create/update but not delete |
| 3. Entitlement | What has this org paid for? | License tier gates "advanced analytics" feature |
Most SaaS applications implement layers 1 and 2 but ignore layer 3, leading to feature access inconsistencies when customers upgrade or downgrade plans.
Permission Model
// Define permissions as resource:action pairs
const permissions = {
'licenses:read': 'View license keys and status',
'licenses:create': 'Generate new license keys',
'licenses:revoke': 'Revoke active licenses',
'analytics:read': 'View usage analytics',
'analytics:export': 'Export analytics data',
'team:manage': 'Invite/remove team members',
'billing:manage': 'Update payment and plan',
'webhooks:configure': 'Set up webhook endpoints',
'api-keys:manage': 'Create/rotate API keys'
}
// Map roles to permission sets
const roles = {
owner: Object.keys(permissions),
admin: ['licenses:*', 'analytics:*', 'team:manage', 'webhooks:configure', 'api-keys:manage'],
developer: ['licenses:read', 'licenses:create', 'analytics:read', 'api-keys:manage'],
analyst: ['licenses:read', 'analytics:read', 'analytics:export'],
viewer: ['licenses:read', 'analytics:read']
}Role Hierarchy
SaaS roles typically follow a hierarchy where higher roles inherit all permissions from lower ones:
// Role hierarchy: Owner > Admin > Developer > Analyst > Viewer
const roleHierarchy = {
owner: 5,
admin: 4,
developer: 3,
analyst: 2,
viewer: 1
}
// Check: can this user perform this action?
const canPerform = (userRole, requiredRole) =>
roleHierarchy[userRole] >= roleHierarchy[requiredRole]Multi-Tenant RBAC
In multi-tenant SaaS, a user's role is scoped to an organization. The same user can have different roles in different organizations:
// User membership model
interface OrgMembership {
userId: string
orgId: string
role: 'owner' | 'admin' | 'developer' | 'analyst' | 'viewer'
invitedBy: string
joinedAt: string
}
// Authorization check: always scope to the current org
const authorize = (user, orgId, permission) => {
const membership = user.memberships.find(m => m.orgId === orgId)
if (!membership) return false
return roles[membership.role].includes(permission)
}Integrating RBAC with License Tiers
The most powerful pattern combines role permissions with license-based feature flags:
// Combined RBAC + entitlement check
const canAccess = async (user, orgId, feature) => {
// Step 1: Does the user's role allow this?
const hasPermission = authorize(user, orgId, feature)
if (!hasPermission) return { allowed: false, reason: 'insufficient_role' }
// Step 2: Does the org's license include this feature?
const license = await to.validate({
licenseKey: org.licenseKey,
feature: feature
})
if (!license.valid) return { allowed: false, reason: 'upgrade_required' }
return { allowed: true }
}This ensures that even an org admin can't access features the organization hasn't paid for, while a viewer can't access features even if the org has them.
Implementation Best Practices
- Enforce at the API layer — UI can hide buttons, but the API must reject unauthorized requests. Never rely on frontend-only enforcement
- Use middleware — Don't sprinkle permission checks across handlers. Use a centralized authorization middleware
- Log everything — Record every permission check, especially denials. Enterprise customers need this for audits
- Default to deny — If a permission isn't explicitly granted, it's denied. Never default to allow
- Test permission boundaries — Write tests that verify a viewer can't create, an analyst can't delete, and a developer can't manage billing
- Support custom roles — Enterprise customers will want to define their own roles. Plan for this from the start
Common Mistakes
- Hardcoding roles in application logic — Use a permission matrix, not if/else chains for role names
- Forgetting API key authorization — API keys should have the same role/permission scoping as user sessions
- No org-scoping — A user who is admin in Org A should not see data from Org B
- Over-granular permissions — 200 individual permissions creates UX complexity. Group permissions into logical bundles
License-Aware Access Control
Traffic Orchestrator combines license validation with feature flags, giving you the building blocks for RBAC that respects both user roles and plan entitlements.
See PlansShip licensing in your next release
5 licenses, 500 validations/month, full API access. Set up in under 5 minutes — no credit card required.