I'm playing with RBAC for an external app, and to that end I'm curious to know if variables or user attributes are stored server side.
I'm thinking of using variables or user attributes to disable/hide components.
Also open to other approaches to RBAC.
Hey @ferret141,
I think this is is a good approach.
Attributes are secure by default: bad actors cannot spoof data passed into queries that reference attributes.
From docs
I've done RBAC using attributes and I'm quite happy with it.
Agree with @MiguelOrtiz that user attributes are the more secure option, for the reasons mentioned above. 
Confirming for my peace of mind. My understanding is that:
User attributes are fed into queries and workflows server-side.
For anything initiated client-side, spoofing checks are done against the user attribute values sent in.
This includes the hiding/disabling of components.
However, no checks are done against variables. But are they ever stored client-side?
It looks like I don't have access to the User API on the Business plan to set the attributes dynamically.
Any recommendations?
Thanks
Yes - the value of the user attributes referenced within a query are validated server-side in order to prevent spoofing.
There is a separate set of endpoints specifically for interacting with user attributes that is accessible on a Business plan.
It looks like you're trying to hit one of the User endpoints, which is scoped to Enterprise plans. You can see documentation on the specific User Attributes endpoints here.
