-
Notifications
You must be signed in to change notification settings - Fork 4
Role‐Based Access Control (RBAC) Explained
Role-Based Access Control (RBAC) is a method of restricting system access to authorized users based on their roles within an organization. It's a fundamental security principle that ensures users can only access the information and functionality they need to do their jobs.
A role is a collection of permissions that defines what actions a user can perform and what resources they can access. Roles typically align with job functions or responsibilities.
- Users: Individuals who need access to the system
- Roles: Collections of permissions assigned to users
- Permissions: Specific operations that can be performed on resources
- Resources: The data, functions, or features being protected
| Model | Description | Best For |
|---|---|---|
| RBAC | Access based on user roles | Most business applications |
| ABAC (Attribute-Based) | Access based on user/resource attributes | Complex, dynamic environments |
| DAC (Discretionary) | Resource owners control access | Simple sharing scenarios |
| MAC (Mandatory) | System-enforced access based on sensitivity | High-security environments |
-
Identify roles: Analyze your organization's structure and define relevant roles
- Common roles: Admin, Manager, Editor, Viewer, Guest
-
Define permissions: Determine what actions users can perform
- Create, Read, Update, Delete (CRUD) operations
- Administrative functions
- Special operations (approve, publish, etc.)
-
Map roles to permissions: Create a role-permission matrix
- Which roles can perform which actions on which resources
-
Assign users to roles: Connect users to their appropriate roles
- Users can have multiple roles if needed
Implement hierarchical roles to simplify management:
SuperAdmin
└── Admin
└── Manager
└── Editor
└── Viewer
With hierarchical roles, permissions cascade down - a higher role inherits all permissions of roles below it.
Using PostgreSQL Row-Level Security (RLS):
-- Create roles table
CREATE TABLE roles (
role_id SERIAL PRIMARY KEY,
role_name TEXT NOT NULL UNIQUE
);
-- Create user_roles table
CREATE TABLE user_roles (
user_id INTEGER REFERENCES users(id),
role_id INTEGER REFERENCES roles(role_id),
PRIMARY KEY (user_id, role_id)
);
-- Enable RLS on a table
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
-- Create policies
CREATE POLICY admin_policy ON documents
FOR ALL TO admin_role USING (true);
CREATE POLICY viewer_policy ON documents
FOR SELECT TO viewer_role USING (true);
CREATE POLICY editor_policy ON documents
FOR UPDATE TO editor_role USING (owner_id = current_user_id());
// Middleware to check user roles
function checkRole(roles) {
return (req, res, next) => {
const userRoles = req.user.roles || [];
// Check if user has any of the required roles
const hasPermission = roles.some(role => userRoles.includes(role));
if (!hasPermission) {
return res.status(403).json({
error: 'Access denied. Insufficient permissions.'
});
}
next();
};
}
// Apply to routes
app.get('/api/users',
authenticate,
checkRole(['admin', 'manager']),
userController.listUsers
);
app.post('/api/content',
authenticate,
checkRole(['editor', 'admin']),
contentController.createContent
);
// Role-based component rendering
function Dashboard() {
const { user } = useAuth();
const userRoles = user?.roles || [];
const isAdmin = userRoles.includes('admin');
const isEditor = userRoles.includes('editor');
return (
<div className="dashboard">
<h1>Dashboard</h1>
{/* All users can see this */}
<ContentList />
{/* Only editors and admins can see this */}
{(isEditor || isAdmin) && (
<CreateContentButton />
)}
{/* Only admins can see this */}
{isAdmin && (
<AdminPanel />
)}
</div>
);
}
- Assign users the minimum permissions necessary for their job
- Regularly review and revoke unnecessary permissions
- Create specialized roles for specific tasks rather than using generic roles
- Role explosion: Avoid creating too many roles
- Role review: Regularly audit role assignments
- Temporary access: Implement time-limited role assignments
- Separation of duties: Ensure critical functions require multiple roles
- Overprivileged default roles: Starting with too many permissions
- Static roles: Not adapting roles as the application evolves
- Inconsistent enforcement: Bypassing RBAC in certain areas
- Poor role naming: Unclear role names leading to confusion
- Insufficient logging: Not tracking role-based actions
- Test access to resources without proper roles
- Verify that role changes take effect immediately
- Check for privilege escalation opportunities
- Audit role assignments regularly
- Test role inheritance and hierarchies
- NIST RBAC Standard
- OWASP Access Control Cheat Sheet
- AWS IAM Best Practices (good RBAC implementation example)
Role-Based Access Control (RBAC) is a method of restricting system access to authorized users based on their roles within an organization. It's a fundamental security principle that ensures users can only access the information and functionality they need to do their jobs.
A role is a collection of permissions that defines what actions a user can perform and what resources they can access. Roles typically align with job functions or responsibilities.
- Users: Individuals who need access to the system
- Roles: Collections of permissions assigned to users
- Permissions: Specific operations that can be performed on resources
- Resources: The data, functions, or features being protected
| Model | Description | Best For |
|---|---|---|
| RBAC | Access based on user roles | Most business applications |
| ABAC (Attribute-Based) | Access based on user/resource attributes | Complex, dynamic environments |
| DAC (Discretionary) | Resource owners control access | Simple sharing scenarios |
| MAC (Mandatory) | System-enforced access based on sensitivity | High-security environments |
-
Identify roles: Analyze your organization's structure and define relevant roles
- Common roles: Admin, Manager, Editor, Viewer, Guest
-
Define permissions: Determine what actions users can perform
- Create, Read, Update, Delete (CRUD) operations
- Administrative functions
- Special operations (approve, publish, etc.)
-
Map roles to permissions: Create a role-permission matrix
- Which roles can perform which actions on which resources
-
Assign users to roles: Connect users to their appropriate roles
- Users can have multiple roles if needed
Implement hierarchical roles to simplify management:
SuperAdmin
└── Admin
└── Manager
└── Editor
└── Viewer
With hierarchical roles, permissions cascade down - a higher role inherits all permissions of roles below it.
Using PostgreSQL Row-Level Security (RLS):
-- Create roles table
CREATE TABLE roles (
role_id SERIAL PRIMARY KEY,
role_name TEXT NOT NULL UNIQUE
);
-- Create user_roles table
CREATE TABLE user_roles (
user_id INTEGER REFERENCES users(id),
role_id INTEGER REFERENCES roles(role_id),
PRIMARY KEY (user_id, role_id)
);
-- Enable RLS on a table
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
-- Create policies
CREATE POLICY admin_policy ON documents
FOR ALL TO admin_role USING (true);
CREATE POLICY viewer_policy ON documents
FOR SELECT TO viewer_role USING (true);
CREATE POLICY editor_policy ON documents
FOR UPDATE TO editor_role USING (owner_id = current_user_id());// Middleware to check user roles
function checkRole(roles) {
return (req, res, next) => {
const userRoles = req.user.roles || [];
// Check if user has any of the required roles
const hasPermission = roles.some(role => userRoles.includes(role));
if (!hasPermission) {
return res.status(403).json({
error: 'Access denied. Insufficient permissions.'
});
}
next();
};
}
// Apply to routes
app.get('/api/users',
authenticate,
checkRole(['admin', 'manager']),
userController.listUsers
);
app.post('/api/content',
authenticate,
checkRole(['editor', 'admin']),
contentController.createContent
);// Role-based component rendering
function Dashboard() {
const { user } = useAuth();
const userRoles = user?.roles || [];
const isAdmin = userRoles.includes('admin');
const isEditor = userRoles.includes('editor');
return (
<div className="dashboard">
<h1>Dashboard</h1>
{/* All users can see this */}
<ContentList />
{/* Only editors and admins can see this */}
{(isEditor || isAdmin) && (
<CreateContentButton />
)}
{/* Only admins can see this */}
{isAdmin && (
<AdminPanel />
)}
</div>
);
}- Assign users the minimum permissions necessary for their job
- Regularly review and revoke unnecessary permissions
- Create specialized roles for specific tasks rather than using generic roles
- Role explosion: Avoid creating too many roles
- Role review: Regularly audit role assignments
- Temporary access: Implement time-limited role assignments
- Separation of duties: Ensure critical functions require multiple roles
- Overprivileged default roles: Starting with too many permissions
- Static roles: Not adapting roles as the application evolves
- Inconsistent enforcement: Bypassing RBAC in certain areas
- Poor role naming: Unclear role names leading to confusion
- Insufficient logging: Not tracking role-based actions
- Test access to resources without proper roles
- Verify that role changes take effect immediately
- Check for privilege escalation opportunities
- Audit role assignments regularly
- Test role inheritance and hierarchies
- [NIST RBAC Standard](https://csrc.nist.gov/projects/role-based-access-control)
- [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
- [AWS IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) (good RBAC implementation example)