Role-Based Access Control
RBAC provides a straightforward way to manage access by assigning users to roles, and roles to permissions.
Overview
Section titled “Overview”RBAC in Authrim allows you to:
- Define roles that represent job functions or responsibilities
- Assign permissions to roles
- Assign users to one or more roles
- Scope assignments globally, to an organization, or to a resource
- Evaluate access based on user’s role memberships
Concepts
Section titled “Concepts”Roles represent a set of permissions that can be assigned to users:
{ "id": "role-admin", "name": "Administrator", "description": "Full system access", "permissions": ["users:read", "users:write", "users:delete", "settings:manage"]}Permissions
Section titled “Permissions”Permissions are fine-grained access rights:
<resource>:<action>
Examples:- users:read- users:write- documents:delete- settings:manageRole Assignment
Section titled “Role Assignment”Users can be assigned to multiple roles:
{ "user_id": "user-123", "roles": [ { "role_id": "role-admin", "scope": "global" }, { "role_id": "role-editor", "scope": "org", "scope_target": "org-123" } ]}API Reference
Section titled “API Reference”Create Role
Section titled “Create Role”POST /api/admin/rolesAuthorization: Bearer <admin_token>Content-Type: application/json
{ "name": "Editor", "description": "Can edit content", "permissions": ["content:read", "content:write"]}List Roles
Section titled “List Roles”GET /api/admin/rolesAuthorization: Bearer <admin_token>Get Role
Section titled “Get Role”GET /api/admin/roles/{role_id}Authorization: Bearer <admin_token>Update Role
Section titled “Update Role”PATCH /api/admin/roles/{role_id}Authorization: Bearer <admin_token>Content-Type: application/json
{ "description": "Can edit and publish content", "permissions": ["content:read", "content:write", "content:publish"]}Delete Role
Section titled “Delete Role”DELETE /api/admin/roles/{role_id}Authorization: Bearer <admin_token>Assign Role to User
Section titled “Assign Role to User”POST /api/admin/users/{user_id}/rolesAuthorization: Bearer <admin_token>Content-Type: application/json
{ "role_id": "role-editor", "scope": "org", "scope_target": "org-123", "expires_at": 1735689600000}Remove Role from User
Section titled “Remove Role from User”DELETE /api/admin/users/{user_id}/roles/{assignment_id}Authorization: Bearer <admin_token>Get User’s Roles
Section titled “Get User’s Roles”GET /api/admin/users/{user_id}/rolesAuthorization: Bearer <admin_token>Get Effective Permissions
Section titled “Get Effective Permissions”Resolve a user’s effective permissions from direct role assignments and organization membership:
GET /api/admin/users/{user_id}/effective-permissionsAuthorization: Bearer <admin_token>List Role Assignments
Section titled “List Role Assignments”GET /api/admin/roles/{role_id}/assignmentsAuthorization: Bearer <admin_token>Token-Embedded Permissions
Section titled “Token-Embedded Permissions”Authrim can resolve role and permission claims for tokens when the tenant and client claim policy allow it. For administrative review and debugging, prefer the effective-permissions endpoint above.
ID Token with Roles
Section titled “ID Token with Roles”{ "sub": "user-123", "roles": ["admin", "editor"], "permissions": ["users:read", "users:write", "content:read", "content:write"]}Requesting Roles in Token
Section titled “Requesting Roles in Token”Include roles in the scope:
GET /authorize ?response_type=code &scope=openid+profile+roles ...Runtime Checks
Section titled “Runtime Checks”Use the Policy Service for service-to-service checks. These endpoints require the internal policy API bearer token configured for the policy worker.
POST /policy/check-roleAuthorization: Bearer <policy_api_secret>Content-Type: application/json
{ "subject": { "id": "user-123", "roles": [{ "name": "admin", "scope": "global" }] }, "role": "admin"}Response:
{ "allowed": true}Policy Definition
Section titled “Policy Definition”RBAC policies can be defined in JSON:
{ "version": "1.0", "roles": [ { "id": "admin", "name": "Administrator", "permissions": ["users:read", "users:write", "settings:manage"] }, { "id": "editor", "name": "Editor", "permissions": ["content:read", "content:write", "content:publish"] }, { "id": "viewer", "name": "Viewer", "permissions": ["content:read", "users:read"] } ]}Permission Format
Section titled “Permission Format”Custom roles use resource:action permissions such as users:read or content:publish. System and built-in roles may expose broader effective permissions, but custom role creation validates explicit permission names.
Best Practices
Section titled “Best Practices”Role Design
Section titled “Role Design”- Keep roles focused - Each role should represent a clear function
- Avoid role explosion - Don’t create too many fine-grained roles
- Use permission inheritance - Build higher-level roles on lower-level ones
- Document roles - Include clear descriptions
Security
Section titled “Security”- Principle of least privilege - Assign minimum required permissions
- Regular audits - Review role assignments periodically
- Separation of duties - Split sensitive operations across roles
- Role lifecycle - Remove unused roles and assignments
Example: E-commerce Application
Section titled “Example: E-commerce Application”{ "roles": [ { "id": "customer", "permissions": ["orders:read:own", "profile:read:own", "profile:update:own"] }, { "id": "support", "permissions": ["orders:read", "customers:read", "tickets:read", "tickets:write"] }, { "id": "warehouse", "permissions": ["orders:read", "orders:update_status", "inventory:read", "inventory:update"] }, { "id": "admin", "permissions": ["orders:read", "orders:update_status", "customers:read", "inventory:update"] } ]}Integration with ABAC
Section titled “Integration with ABAC”RBAC can be combined with ABAC for more flexible authorization:
{ "effect": "allow", "condition": { "and": [ { "role": "editor" }, { "resource.status": "draft" } ] }}This allows editors to edit only draft content.