How to implement RBAC with Permit.io
- Share:
Before we dive into the step-by-step tutorial, letās start with a short introduction -Ā
What is RBAC?
Role-based access control (RBAC), is an authorization model used to determine access control based onĀ predefined roles. Permissions are assigned to roles (Like āAdmin or āUserā), and roles are assigned to users by the administrator. This structure allows you to easily understand who has access to what.Ā
The combination ofĀ who (Which Identity, and what role are they assigned?) can doĀ what (What actions are they allowed to perform) with aĀ resource (On which aspects of the software) is called aĀ policy.
For example, a user with the role of "System Administrator" might be granted access to perform every available action on all the resources in the system, while a user with the role of "Guest" might only be granted access to perform very limited actions on a few specific resources.Ā
Having predefined roles makes it easier to manage access to resources since the administrator only needs to manage the roles rather than the individual permissions for each user.
Who needs RBAC?
RBAC provides a rather simple solution for controlling access to resources based on a predefined set of roles (Which can, for example, correlate with an individual's job function or responsibilities).Ā
RBAC is a perfectly balanced policy model (not too complex [like ABAC or ReBAC] and not too simple [like Admin/Non-Admin]), as a result, it has grown to be very popular and is the default model your customers are probably familiar with.
Implementing RBAC can help ensure that only authorized users have access to sensitive resources and also make it easier to manage and revoke access as one's role and responsibilities within the organization change.
Using RBAC can help to improve security by making it more difficult for unauthorized users to gain access to resources and improve efficiency by reducing the need for manual assignment of access per individual user.
Example RBAC policy -
Say we are managing a Blog. In our blog, we have three different users, each requiring a different set of permissions -Ā
1. The system administrator, who manages the entire system
2. A person writing an article needs to be able to create new entries
3. A person who can edit existing content but shouldnāt be able to create new entries
In this example, we can divide these three users into threeĀ roles:Ā
AnĀ Admin, aĀ Writer, and anĀ Editor.Ā
These roles will be able to performĀ actions on the differentĀ resources within our blog.Ā
A resource, in this case, will be aĀ blog post.Ā
The next question we have to ask ourselves is, āWhichĀ action can each of these users perform on the blog-postĀ resource?āĀ
In this example, we can define actions such asĀ Create,Ā Edit,Ā Delete, andĀ View.Ā
If we try and define this policy in simple English, it would look something like this:
TheĀ Admin canĀ Create,Ā Edit,Ā Delete andĀ View theĀ Blog Post
TheĀ Writer canĀ Create,Ā Edit, andĀ View theĀ Blog Post
TheĀ Editor canĀ Edit andĀ View theĀ Blog PostĀ
Why use Permit?
Permit allows setting up and managing all of our application-level RBAC roles in a unified user interface, saving you the time of having to develop such a system from scratch, so you can focus on the actual cool and unique features of our application.
Permit also allows you to embed parts of its UI as components within your application usingĀ Permit Elements, thus propagating permission management (User management, Audit logs, etc.) functionality to other stakeholders - tackling the complex challenge of Authorization-for-Authorization.Ā
ā Learn more about the benefits of setting up RBAC with Permit.io here
Letās get down to it!
Step 1: Onboarding
Go toĀ https://app.permit.io/
Register and log in. Permit is free to use up toĀ 1K MAU .Ā
Follow the onboarding process step by step (The purpose of the onboarding is to help you set up basic RBAC - in this article, we aim to give you a more detailed dive into this setup).Ā
The first screen of the onboarding process
- Once you reach the last screen of the onboarding process, you will be asked to connect your application to Permit. Letās quickly go over how thatās done -Ā
Step 2: Connecting your applicationĀ
In the last screen of the onboarding process, you will be asked to connect your application to Permit. To achieve that, follow the instructions on the screen. You will need to perform three actions:
Select the programming language which is relevant to your application.Ā
Deploy a PDP (Policy Decision Point) image to your application via ādocker pullā.Ā
The PDP stores information about all the rules and permissions, and it resides on the client's server (You can learn more about the PDP here).Add the SDK to your code (In your relevant coding language).Ā
A detailed explanation of this process can be foundĀ here.Ā
Connecting a Node.js app instruction screen
Once our application is connected, we can continue to the setup step.Ā
Creating and Mapping Roles, Actions, and Resources
Letās do a quick recap of the three terms we will be dealing with here. Going back to our example, we are going to -
Setup threeĀ roles - Admin, Writer, and Editor
Set up a Blog PostĀ resource.
Add four possible actions these roles can perform - Create, Edit, Delete, and View.
ā Letās dive right in.
Step 3: Creating a resource, defining actionsĀ
Resources, roles, and actions are managed on the policy page.Ā
Go to theĀ āPolicyā page in the menu bar on your left.
Click āCreateā and select āResourceā
Name your resource - in this example, letās name itĀ Blog Post.
- In the āActionsā panel, define the actions that can be performed on the resource - in this example:Ā Create,Ā Edit,Ā Delete, andĀ View.
- Finalize by clicking āSave Resource.āĀ
We now have our first resource and the actions which can be performed on it! Nice!
Note: You can remove the sample ādocumentā resource which was created during the onboarding - we wonāt be needing it.Ā
ā Step 4: Creating rolesĀ
Now that we have our resources and actions set up, we can add new roles.Ā
Click āCreateā and selectĀ āRoleā
Give the role a name - In the case of this example,Ā āWriterā (As we already have an Admin from the onboarding).Ā
Repeat the process to create anĀ āEditorā role as well.Ā
We now have our roles set up!Ā
Notice resources and actions are automatically propagated between the differentĀ roles.Note: You can provide a short description for each role to give other users a better understanding of the definition of each role.Ā
Step 5: Add actual users to the roles you set up
Now that you have RBAC, it's time to assign these roles to actual users. This is done through the āUser Management screen.Ā
Go to theĀ āUsersā page in the menu bar on your left.
ClickĀ āNew Userā and fill in the user details: email, first name, last name, and pick the roles you want to assign to the new user.Ā
Assign the required roles to the newly created user. Note that each user can be assigned several roles.Ā
Click āCreate User, and youāre done!
Note: The email field you fill in will serve as theĀ unique user key. It doesnāt have to be a real operational email address as long as it's unique.Ā
Step 6: Adding enforcement points - Permit.check()
Once your Roles, resources, and actions are defined, Permit has created the policies that correspond to them. Now that we have our policies, you can set up enforcement points within your app at the points where permissions need to be checked. To do that -Ā
Go to a point within your appās code that requires a permission check.
Add this code snippet:Ā
const permitted = await permit.check("john@permit.io", "create", "document");
The permit.check function requires three parameters to be passed - aĀ unique user key that exists within Permit, the action thatās being performed, and the resource that action is being performed on. The result of the permit.check will be a boolean that you can reference in your code logic to perform functions based on the outcome of the permission check.Ā
if (permitted) { Ā Ā Ā Ā console.log("User is PERMITTED to create a document"); } else { Ā Ā Ā Ā console.log("User is NOT PERMITTED to create a document"); }
Step 7: Set the permissions for each roleĀ
Now that everything is set up, it's as easy as checking a box.Ā
Select the relevant actions for each roleĀ
Click āSave ChangesāĀ
Once the changes have been saved, they should come into effect in your application instantaneously.Ā
Thatās it! You have an active RBAC system set up in your application.Ā
FYI:Ā The policies generated via the Permit UI are all generated asĀ Rego code, which you can manage via your own Git Repository. If you want us to set that up for you -Ā let us know!
Step 8 (Optional): Adding users through the SDK / API
While you can create users with the UI dashboard, Permit also allows you to perform any action through the API. On top of that, you can use any of theĀ multiple SDKs that abstract from the complexity of the API.Ā
A detailed explanation of creating users with the APIĀ can be found here.
An explanation about creating users with the Node.JS SDKĀ is available here.Ā
You can find theĀ rest of the SDKs here.Ā
Summary
In this tutorial, we learned what role-based access control (RBAC) is, why someone would want to use it, and how it can be implemented by using Permit.io - Including creating Roles, Actions, and Resources and mapping permissions to them accordingly.Ā
Having trouble setting this up? Have any additional questions? Want to share a cool project youāve built using this? Let us know in ourĀ Slack community.
Written by
Shuvy Ankor
Full-stack Core Team Developer@ Permit.io