November 16, 2022
November 1, 2022
Role-Based Access Control (RBAC) is an authorization strategy to restrict access to protected resources. It simplifies permission assignment by categorizing users in roles. This is an important part of an overall cybersecurity strategy. However, many people making their first foray into RBAC often have a question: how can they deal with roles in their code?
In this article, we are going to introduce a good way to implement RBAC in your application using Auth0.
Consider an example as an NFT platform for customers (collectors) who can collect NFTs and creators who can create NFTs and NFT Collections. Different users accessing this platform have different permission to view and change collections of NFTs. For example:
Role-Based Access Control would help with the permission assignment by introducing the concept of role. A role is a collection of permissions. So, we will discuss more RBAC and how it can be used to apply levels of permission control over corporate resources and sensitive information.
Here is how you would use RBAC to control privileges in a system that supports collection management. Take a system that performs the following actions for example:
These actions represent the permissions available for the system users. Based on business requirements, we group these permissions in the following roles:
An RBAC system allows us to create those roles that have associated access permissions to corporate resources. Once configured, system managers can assign users to these roles with this associated set of permissions.
The most significant benefit of the RBAC strategy is the ability to group different permissions so that they can be assigned and revoked collectively. Also, by changing the set of permissions in a role, it allows us to change permissions to a group of users in one step. This decreases the effort related to handling permissions in your system.
For example, your business decides that it won't permit the creators to delete the collection. In this situation, a system manager would remove the delete:collection permission from the role Creator to prevent creators from deleting collections. The users as creators would still be able to view or create a new one, but wouldn't be able to delete it.
Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. Using Auth0, the implementation of RBAC to manage role-based permissions is simplified. Let’s take a closer look.
For example, to secure your application API with RBAC and Auth0, users with a given role can access the API while others cannot, you will need to follow a simple recipe with only four steps:
Enable Role-Based Access Control (RBAC)
Create an API permission
Create a role
Add permissions to the role
We would like to emphasize that one of the most significant benefits of the RBAC strategy is to allow the classifying of different permissions so that they can be assigned and revoked collectively.
Just like if you decide that the creator will not allow deleting the collection, you need to remove the delete:collection permission from the role Creator.
Checking Permissions in Your Backend API
At this point, you've configured your API and created users with their respective roles on Auth0. Whenever a user logs in to one of your client applications, the Auth0 authorization server issues a JSON Web Token (JWT) format access token that the client can use to make authenticated requests to an API server.
Because you enable Auth0 Role-Based Access Control (RBAC) for an API, the access token will include a permissions claim with all the permissions associated with any roles you have assigned to that user.
If you decode the access token, you should see a payload similar to the following:
To authorize the incoming HTTP requests, your backend API needs to ensure the access token has the necessary permissions. You can accomplish this task by defining one middleware to extract permission claims from access tokens and check these claims before accessing resources. This is a diagram for illustration:
We hope that this article would give you a clearer look at Role-Based Access Control and how to implement it using Auth0. To dig deeper into Identity Access Management (IAM), check out this amazing article - Intro to IAM.
Until next time, happy coding, folks!