I'm playing with RBAC for an external app, and to that end I'm curious to know if variables or user attributes are stored server side.
I'm thinking of using variables or user attributes to disable/hide components.
Also open to other approaches to RBAC.
Hey @ferret141,
I think this is is a good approach.
Attributes are secure by default: bad actors cannot spoof data passed into queries that reference attributes.
From docs
I've done RBAC using attributes and I'm quite happy with it.
Agree with @MiguelOrtiz that user attributes are the more secure option, for the reasons mentioned above. 
Confirming for my peace of mind. My understanding is that:
User attributes are fed into queries and workflows server-side.
For anything initiated client-side, spoofing checks are done against the user attribute values sent in.
This includes the hiding/disabling of components.
However, no checks are done against variables. But are they ever stored client-side?
It looks like I don't have access to the User API on the Business plan to set the attributes dynamically.
Any recommendations?
Thanks
Yes - the value of the user attributes referenced within a query are validated server-side in order to prevent spoofing.
There is a separate set of endpoints specifically for interacting with user attributes that is accessible on a Business plan.
It looks like you're trying to hit one of the User endpoints, which is scoped to Enterprise plans. You can see documentation on the specific User Attributes endpoints here.
Aha. After hitting the right endpoint and cracking my head with some JSON I'm able to update user attributes.
However I've hit a new hurdle. How do I get the user sid to be able to update their attributes?
The short answer is that there's not currently a simple solution without being on an Enterprise plan. I've already documented a feature request internally, but there's a decent workaround you can read about here.
Have you had a chance to do more work on this, @ferret141? Let me know if you have any additional questions!
Not yet, but eager to look at it soon as I've noticed slow query behaviour on another app.
