DEV Community

Cover image for Role-Based Access Control (RBAC) with Feature-Centric Approach
Sushant Rahate
Sushant Rahate

Posted on • Edited on

Role-Based Access Control (RBAC) with Feature-Centric Approach

In this article, we’ll explore how to set up a Role-Based Access Control (RBAC) system where features are a central part. We'll go through defining modules, associating features, assigning roles with specific features, and finally assigning roles to users. This example uses JSON data to keep things simple and adaptable, allowing for scalable access control without requiring any changes for new roles on the frontend

Live Demo

1. Define Modules and Features

Modules group similar features together. Each module can contain multiple features representing actions that users can perform.

JSON Structure for Modules and Features:

{
  "modules": [
    {
      "id": 1,
      "name": "Users",
      "features": [
        "view-users",
        "edit-users"
      ]
    },
    {
      "id": 2,
      "name": "Reports",
      "features": [
        "view-reports",
        "edit-reports"
      ]
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode
  • Modules: Represents a specific area of the application, like "Users" or "Reports."
  • Features: Actions within each module, such as view-users and edit-users for the Users module.

2. Create Roles and Assign Features

Next, create roles that define sets of features. Each role will have a list of permissions that grant access to specific features within the modules.

JSON Structure for Roles and Permissions:

{
  "roles": [
    {
      "id": 1,
      "name": "Admin",
      "permissions": [
        "view-users",
        "edit-users",
        "view-reports",
        "edit-reports"
      ]
    },
    {
      "id": 2,
      "name": "Viewer",
      "permissions": [
        "view-users",
        "view-reports"
      ]
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode
  • Roles: Represent groups with specific access rights, like "Admin" and "Viewer."
  • Permissions: Specify which features each role has access to, allowing for flexible permission settings.

By defining roles, you can manage access control efficiently without modifying each user's permissions.

3. Assign Roles to Users

After creating roles, assign them to users. Each user will inherit the permissions granted by their role.

JSON Structure for Users and Role Assignments:

{
  "users": [
    {
      "id": 1,
      "name": "Sushant",
      "roleId": 1
    },
    {
      "id": 2,
      "name": "Raghav",
      "roleId": 2
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode
  • Users: Represent individuals who will access the application.
  • RoleId: Links each user to a specific role, determining their feature access.

With this structure, you can easily update roles to grant or restrict access for multiple users simultaneously.

4. Setting Up Access Control Logic in the Frontend

On the frontend, access to each feature is checked based on the user's role. Here’s how to securely handle user access based on their assigned role.

  • Fetch Role Permissions: When a user logs in, retrieve their role's permissions from the backend.
  • Store Permissions Locally: For session-based access control, store permissions in a secure format (such as JWT or session storage).
  • Conditional Rendering: For each section or feature, check if the user has permission to view or edit it.

Example Access Check in JavaScript:

const userPermissions = ["view-users", "edit-users"]; // Loaded from backend based on role

if (userPermissions.includes("view-users")) {
  // Render the user view section
}

if (userPermissions.includes("edit-users")) {
  // Render the user edit section
}
Enter fullscreen mode Exit fullscreen mode

Using a role-based check in the frontend ensures that users only see features they’re permitted to access.

Backend Validation

While this example focuses on the frontend, validating user roles and permissions should also happen on the backend. Backend validation should re-check feature access on every request, helping to prevent any unauthorized data or feature access

Pros and Cons

Pros

  • Fine-Grained Access Control: This approach allows you to control user access on a feature-by-feature basis, which is more flexible than traditional role-based access control.

  • Scalability: New features and modules can easily be added to the system, and roles can be adjusted without significant backend changes.

  • Improved Security: By combining frontend validation and strict backend checks, this system helps prevent unauthorized access to restricted features.

Cons

  • Complexity: Feature-based access control can become complex, especially as the number of modules, features, and roles increases. Proper planning and documentation are essential to prevent it from becoming difficult to manage.

Conclusion

Role-Based Access Control (RBAC) with a feature-centric approach offers a scalable and efficient way to manage user permissions. By defining modules and features, setting up roles, and assigning or updating features to roles, you can easily create and manage custom roles without requiring any new changes in the frontend.

Check out my GitHub profile: https://github.com/sushantrahate

I hope this guide helps you. Happy coding! 😄

Top comments (0)