RBAC assigns permissions based on roles (admin, user, editor). Users get roles, roles have permissions. Middleware checks if the user's role has the required permission for each route.