Role-Based Access Control (RBAC)

This guide covers implementing Role-Based Access Control (RBAC) using Root Security to manage permissions in your application.

Understanding RBAC

RBAC is an approach to restricting system access based on the roles of individual users within your organization:

• Users: Individual accounts that authenticate to your application
• Roles: Collections of permissions that define what actions are allowed
• Permissions: Specific operations that can be performed on resources

With RBAC, instead of assigning permissions directly to users, permissions are assigned to roles, and users are assigned to roles.

Implementing RBAC with Root Security

Step 1: Define Your Permissions

First, define the permissions that represent actions in your application:

1. Log in to the Root Security Dashboard
2. Navigate to Authorization > Permissions
3. Click Create Permission
4. Define permissions in the format resource:action (e.g., documents:read, users:delete)

Step 2: Create Roles

Group permissions into logical roles:

1. Navigate to Authorization > Roles
2. Click Create Role
3. Provide a name and description (e.g., "Content Editor")
4. Assign permissions to the role
5. Save the role

Common examples include:

• Admin: Full system access
• Editor: Can create and modify content
• Viewer: Read-only access
• Manager: Can manage users and settings

Step 3: Assign Roles to Users

Assign appropriate roles to users:

1. Navigate to Users
2. Select a user
3. Under the Roles tab, assign roles
4. Save changes

Step 4: Verify Permissions in Your Application

JavaScriptPython

// Example: Check if user has permission to edit documents
function canEditDocument(user) {
  // Check if user has the specific permission
  if (user.permissions.includes('documents:edit')) {
    return true;
  }

  // Or check if user has a role with the permission
  const hasEditorRole = user.roles.some(role => 
    ['admin', 'editor'].includes(role)
  );

  return hasEditorRole;
}

# Example: Check if user has permission to edit documents
def can_edit_document(user):
    # Check if user has the specific permission
    if 'documents:edit' in user.permissions:
        return True

    # Or check if user has a role with the permission
    editor_roles = ['admin', 'editor']
    has_editor_role = any(role in editor_roles for role in user.roles)

    return has_editor_role

Advanced RBAC Features

Hierarchical Roles

Root Security supports role inheritance, where one role can include all permissions from another role:

1. Navigate to Authorization > Roles
2. Select a role
3. Under Inherit From, select parent roles
4. Save changes

Example hierarchy: - Admin (all permissions) - Content Manager (content permissions) - Content Editor (edit permissions) - Content Viewer (view permissions)

Dynamic Permissions

Use attribute-based rules to create dynamic permissions:

{
  "permission": "documents:edit",
  "rule": {
    "department": "document.department === user.department"
  }
}

This rule would allow users to edit documents only if they belong to the same department.

Best Practices

• Principle of Least Privilege: Assign users the minimum permissions needed
• Regular Audits: Review and update roles and permissions regularly
• Role Naming Conventions: Use clear, consistent naming conventions
• Documentation: Document the purpose of each role and its permissions
• Group Roles: For large organizations, consider using groups to assign roles to multiple users

Next Steps

• Learn about Permission Management for more granular control
• Implement Attribute-Based Access Control for dynamic permissions
• Set up Role-Based UI to show/hide UI elements based on permissions