Restricting Access (RBAC)

RBAC (Role-based access control) or role-based permissions is a way to restrict access based on a user's defined role. This guide will cover two different methods of enforcing access / RBAC to an API endpoint based on the user's role.

Let's use the following user table for both examples of RBAC. Make note of the role field and the values for each user.

RBAC Example 1: Use Get Record

Now, let's set up an API endpoint that GETs all users but only if the user trying to call the endpoint has a role of admin.

Take note of the endpoint below, user authentication is required. Additionally, take note of the Function Stack:

1. Get Record from user: This will use the authToken to find the user's ID and look up their information.

2. Precondition: This will enforce that the user's role is equal to admin. If it is not, then it will throw and error and stop the endpoint.

3. Query all records from user: This will only be performed if the user's role is an admin by passing the precondition.

Get the record of the user who's calling the endpoint (requester) with the auth ID.

Next, set a precondition to enforce that the user (called requester in the example) has a role equal to admin.

If the precondition is met, then the user who is the requester will have permission to execute the rest of the Function Stack and complete the API endpoint.

RBAC Example 2: Use Extras

In this example, we will use the login endpoint to pass the user's role into extras of the auth token at the time of authentication.

Now that the user's role is passed into the authToken, we can eliminate the Get Record function from the previous example and reference "extras.role" in the precondition to enforce the user's role.

If the user's role is equal to admin then they will pass the precondition and have permission to execute the rest of the Function Stack.