Node RBAC: Role-Based Access Control in Node

What is RBAC?

Roles, also known as “role-based access control,” are a common way to simplify authorization logic for both engineers and users.

role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has.

permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to read repositories.

There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:

Oso Cloud is an authorization service for building RBAC in Node

  • Oso Cloud is fully-managed and deployed across multiple regions for low-latency and high availability.
  • Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC).
  • You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates that data to make authorization decisions at runtime.
  • Oso can provide yes/no authorization decisions, as well as filter lists of data.

Express RBAC in Node with Oso Cloud

To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller. 

// This will return `false` if the current user does not
// have access to the Repository that they're trying to read
const user = {id: User.getCurrentUser(), type: "User"};
const repo = {id: repoName, type: "Repository"};
await oso.authorize(user, "read", repo);

You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.

In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.

actor User {}

resource Organization {
 roles = ["owner"];
}

resource Repository {
 permissions = ["read", "push"];
 roles = ["contributor", "maintainer"];
 relations = { parent: Organization };

 # An actor has the "read" permission if they have the "contributor" role.
 "read" if "contributor";
 # An actor has the "push" permission if they have the "maintainer" role.
 "push" if "maintainer";

 # An actor has the "contributor" role if they have the "maintainer" role.
 "contributor" if "maintainer";

 # An actor has the "maintainer" role if they have the "owner" role on the 
 # "parent" Organization.
 "maintainer" if "owner" on "parent";
}

For a detailed guide on RBAC, read our technology-agnostic Authorization Academy guide to RBAC.

Oso isn’t limited to RBAC. It comes with primitives for other common access control models, like Relationship-based authorization, or ReBAC. For a guide on other authorization patterns, take a look at our guide on authorization modeling covering roles, hierarchies, groups, and other patterns.

Filter data based on a user’s role

Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.

Here's that in the Node app again:

const user = {id: User.getCurrentUser(), type: "User"};
let repos = await oso.list(user, "read", "Repository");

Learn more about RBAC concepts, architecture, and best practices

We've written an Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:

  • How to architect your app for RBAC.
  • Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – like when to use them and how to implement them.
  • Where to enforce authorization at various layers in your app.

Learn how to implement authorization in Node.js

Join the community of thousands of developers in the Oso Slack (including many Node devs!) or feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Node, Oso Cloud, or just authorization in general. We'd love to talk about what you're working on and answer any questions you have.

Level up your authorization knowledge

Learn the basics

A list of FAQs related to application authorization.
Read Authorization FAQ

Read Authorization Academy

A series of technical guides for building application authorization.
Go deep on Authorization

Explore more about Oso

Enterprise-grade authorization without redoing your application architecture.
Dive into Oso
Product
DocumentationUse casesPricingSecurityStatusPrivacy Policy
Learn
Authorization AcademyWhat is Google Zanzibar?What is Open Policy Agent (OPA)?What is Fine-Grained Authorization?Authorization as a ServiceAuthorization FAQWhat is Attribute Based Access Control (ABAC)?
Microservices Best Practices
OpenFGA Alternatives
How-to
Role-Based Access Control in PythonRole-Based Access Control in Node.jsRole-Based Access Control in GoDebugTestPolar Reference
© 2024 Oso Security, Inc.