Understanding Roles-Based Access Control (RBAC)

Written by supertokens.io | Published 2022/11/03
Tech Story Tags: rbac | authorization | authentication | security | open-source | good-company | roles-based-access-control | cybersecurity

TLDRRoles-based access control (RBAC) is a security approach that uses roles to define what a user is and isnā€™t allowed to do. In a RBAC system, users are assigned roles with varying permissions for different resources, including files, databases, and applications.via the TL;DR App

by Supertokens Team

Roles-based access control (RBAC) is a security approach that uses roles to define what a user is and isnā€™t allowed to do. In a RBAC system, users are assigned roles with varying permissions for different resources, including files, databases, and applications.

So, when a user tries to access a resource, the system will first find the roles associated with the user and then check if any of the roles have the appropriate permission. If so, the user is allowed to access the resource. If not, the user is denied access.

For our example, weā€™ll be building a sample blogging app.

First, we have aĀ regular-userĀ role. Weā€™ll want to allowĀ regular-users to read all blog posts, but only edit or delete posts created by them.

On the other hand, we create anĀ adminĀ role that allowsĀ admins to create, edit, and delete all blog posts.

So if a user with only theĀ regular-userĀ role tried to edit a blog post by another user, our system would see that theĀ regular-userĀ role doesnā€™t have the permission to edit that blog post and deny the request.

RBAC vs. ABAC?

Attribute-based access control (ABAC) is another approach that assigns permissions based on user attributes, resource attributes, and environment attributes. For example, a design file can be restricted to only users that have designer in their title and accessed on weekdays.

While ABAC gives finer granularity over access to different resources, RBAC wins out on the ease of implementation. The initial setup cost of RBAC is magnitudes lower than ABAC.

With RBAC, companies have a straightforward method for grouping users with similar access needs and then assigning permissions to those groups.

With ABAC, companies must first define variables and configure different attribute-based rules, which can be a cumbersome process.

Advantages of RBAC

Easy to understand: Because of its intuitive structure, the underlying business logic with RBAC is simple to communicate and understand ā€“ even with dozens of different roles.

  • Extendibility: As you ship new features or change the application structure, adding or modifying roles can easily extend access to new resources for users that need them.

  • Improving compliance: Using RBAC forces developers to think about and organize application permissions and access control. This information can then be used by compliance officers during audits.

  • Decreased risk of data breaches / leakage: It becomes easy for developers to implement application security best practices around access control for their APIs, greatly reducing the chances of breaches.

Disadvantages of RBAC

  • Difficult to make exceptions: It can be complex to make exceptions to how a role works. In our example above, if we want to add a rule that users withĀ regular-userĀ role cannot edit their own post if they have already made ten edits, it will have to be added in the API logic as an exception. There is no way for the roles / permissions system to express it easily. This causes issues since we have to encode this rule in all places where we are checking for theĀ edit:selfĀ permission.

  • Role explosion: Because the only way to add granularity to a RBAC system is by creating a new role, we can end up with hundreds of different roles that are impossible to manage.

  • Can cause conflicts in permissions: There could be situations in which a user is assigned two roles that have conflicting information. In our example above, if a user is assigned theĀ adminĀ role and theĀ regular-userĀ role, they haveĀ edit:selfĀ andĀ edit:allĀ permission. Which one should take precedence? The precedence logic can be coded in the APIs, but this opens the possibility for errors.

	// only allow editing if the blog post belongs to the current user 
} 
else if (permissions.contains("edit:all")) {
	// allow editing 
}

This may cause issues if a user has both theĀ adminĀ andĀ regular-userĀ roles ā€“ despite having theĀ adminĀ role, they will not be able to edit all the blogs because theĀ edit:selfĀ statement is executed first while theĀ edit:allĀ rules get skipped in the following else-if statement.

Implementing RBAC

At Supertokens, weā€™ve been thinking a lot about user authentication and authorization. In fact, itā€™s all that we do. We recently launched our user roles feature based on RBAC principles. Our open-source user authentication can be set up in as little as 45 minutes!

You can learn more about how to use user roles and permissions features using SuperTokens via theĀ recipe guides docs.

Written by the Folks atĀ SuperTokensĀ ā€” hope you enjoyed! We are always available on our Discord server. Join us if you have any questions or need any help.

Also published here.

Written by supertokens.io | The most secure and easy to implement solution for user session management
Published by HackerNoon on 2022/11/03
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy