Authentication and RBAC constitute an entire application of its own that requires dedicated resources, which would be difficult to get right as part of an open-source product. To implement it properly and secure all services, this mechanism would need to apply not only at the UI layer but also at the API, backend database, and network layer. And we wouldn’t want to release any half-baked Auth/RBAC solutions that don’t meet our standards for using Prefect in production environments. Therefore, Auth and RBAC are out of scope for the open-source version at this time.
We generally recommend that open-source users who are not on Cloud deploy their Orion server only in environments they control by locking them down at the network level. From our experience, most users who require Auth and RBAC switch to the Cloud product.
Also, check out the comment from Jeremiah from April 2020 - this comment is still valid for Prefect 2.0: