Restricting Access

There are a couple different methods that you can use for role based access in Xano.

RBAC (Role-based access control) or role-based permissions is a way to restrict access based on a user's defined role. This guide will cover two different methods of enforcing access / RBAC to an API endpoint based on the user's role.

Let's use the following user table for both examples of RBAC. Make note of the role field and the values for each user.

RBAC Example 1: Use Get Record

Now, let's set up an API endpoint that GETs all users but only if the user trying to call the endpoint has a role of admin.

Take note of the endpoint below, user authentication is required. Additionally, take note of the Function Stack:

  1. Get Record from user: This will use the authToken to find the user's ID and look up their information.

  2. Precondition: This will enforce that the user's role is equal to admin. If it is not, then it will throw and error and stop the endpoint.

  3. Query all records from user: This will only be performed if the user's role is an admin by passing the precondition.

Get the record of the user who's calling the endpoint (requester) with the auth ID.

Next, set a precondition to enforce that the user (called requester in the example) has a role equal to admin.

If the precondition is met, then the user who is the requester will have permission to execute the rest of the Function Stack and complete the API endpoint.

RBAC Example 2: Use Extras

Extras allow you to store data within the authentication token, which you can access and use on authenticated API endpoints.

First, you must set up the sign-up & login to include the user's role at the time of authentication.

In this example, we will use the login endpoint to pass the user's role into extras of the auth token at the time of authentication.

Now that the user's role is passed into the authToken, we can eliminate the Get Record function from the previous example and reference "extras.role" in the precondition to enforce the user's role.

If the user's role is equal to admin then they will pass the precondition and have permission to execute the rest of the Function Stack.

*NOTE: The quick authToken look-up will not include extras as defined in your sign-up and login API endpoints. This is because it does not mimic actual sign-up and login but is a convenient look-up of a valid authentication token and is for testing purposes. To test an authToken with valid extras you must run one of the endpoints, copy the resulting authToken, and paste it into the header of the API endpoint you wish to use extras with.

Last updated