Combine RBAC with ABAC
RBAC is typically done at design time. It’s best practice to separate roles from role definition in the form of access rights. RBAC information is contained in JSON Web Tokens. ABAC is used for fine-grained authorization and performed at run-time.