Role-Based Access Control (RBAC) with OPA
Don't miss How to implement RBAC in Rego for in-depth RBAC Rego examples
Overview
With Role-Based Access Control, a subject can perform an action on a resource if:
- the subject is assigned a role
- that role has permissions
- representing performing the action on a resource
Having a role means being granted its access level.
A role in RBAC corresponds to a set of (resource, action) tuples (or "permissions").
Why Roles?
Often, the assignment of roles to subjects is the easiest way to administer an application's authorization system.
These are some example requirements related to roles in an application:
An "admin" can assign all roles, including "admin", to other users.
New users are assigned the "viewer" role.
What the role encompasses – what it means to be an "admin" or a "viewer" – is what the application authors define. In most applications, that's a sweet spot between allowing the user to control access and limiting them to a set of predefined, well-thought-out access models.
Example
For example, in a simple document management service, these could be usual roles:
- Viewer
- View and list documents
- Editor
- Create, list, and edit documents, and delete them.
- Admin
- Full access to all actions on documents, and add and delete users.
In terms of the mappings mentioned earlier, this would boil down to the following role-action-resource mapping:
| Action | Resource | Viewer | Editor | Admin |
|---|---|---|---|---|
| view | documents | ✔️ | ✔️ | ✔️ |
| list | documents | ✔️ | ✔️ | ✔️ |
| delete | documents | ✔️ | ✔️ | |
| create | documents | ✔️ | ✔️ | |
| delete | users | ✔️ | ||
| create | users | ✔️ |
Roles and Personas
The roles often correspond to expected usage patterns, or use-cases of the application:
- As a document editor, I want to be able to make changes to the documents.
- As a viewer, I need to be able to list all documents.
- As an admin, I want to delete a user when they've left the team.
Summary
Roles are sets of actions and resources that bundle the low-level concepts into abstractions that correspond to usage patterns of an application. As an abstraction, they provide a well-known way to structure access controls, and enhance the out-of-the-box experience of your application's authorization features.
What next?
- Read up on
- Dive into Rego: RBAC How-To
- Learn how to address advanced requirements with OPA
Further Reading
- How-to: Role-Based Access Control (RBAC) in Rego
- Need a break? Head to the Playground: Access Control for a complete, interactive example of RBAC