How do you implement role-based access control (RBAC) in NestJS?

RBAC in NestJS uses the combination of custom decorators and guards. Step 1: Create a decorator to set required roles metadata: export const Roles = (...roles: Role[]) => SetMetadata('roles', roles);. Step 2: Create a RolesGuard that reads this metadata: const requiredRoles = this.reflector.getAllAndOverride<Role[]>('roles', [context.getHandler(), context.getClass()]); then checks req.user.roles. Step 3: Apply globally or per-route: @Roles(Role.Admin) @UseGuards(JwtAuthGuard, RolesGuard) @Delete('/:id'). The JWT guard runs first (sets req.user), then the roles guard checks permissions. This pattern is clean, declarative, and easily testable.