RBAC grants access based on the user's role — simple, fast, suitable for job-function-based permissions. ABAC grants access based on attributes of the user, the resource, and the environment — more expressive but more complex. Use RBAC for most B2B SaaS and admin panels; use ABAC for document ownership, multi-tenant apps, and healthcare systems.
RBAC — simple to implement and reason about; roles are stable and cacheable in the JWT.
ABAC — expressive; handles ownership, context, and environment conditions.
RBAC limitation: role explosion — too many roles needed to express fine-grained rules.
ABAC limitation: complexity; requires careful policy design and often a database lookup per request.
CASL is the most popular ABAC library in the NestJS ecosystem — integrates well with TypeORM and Mongoose.