Skip to content

Suite RBAC Fundamentals

How Suite RBAC works

RBAC operates over four main concepts:

  • Permissions.
  • Roles.
  • Security Principals.
  • Role Assignments.

Permissions

A Permission specifies the level of access a user has over a resource and are usually referred to by their Name according to the following format:

  • {application}/{resource}/{action}

Note

This structure acts merely as guidance and can be updated at any moment by adding levels or modifying existing ones. Rbac will handle them no mather what.

In addition, a Permission stores a display name and a description for further contextualization.

Roles

A Role is little more than a mechanism for grouping permissions. Each role has a set of allowed permissions which are represented as expressions that support wildcards:

  • aims/*/create
  • sim/spare-requests/*
  • suite/**
  • **

A couple implications on wildcard usage are worth highlighting:

  • A single wildcard (*) will match all possible values on that specific level.
  • Double wildcard (**) will match all possible values on the specific level and all levels below until a non-wildcard value is found.

Security Principals

A Security Principal is anything that can request access to a resource and therefore is capable of being related with a Role. A few examples in our ecosystem are Users, User Groups, Position or Position Types.

Ultimately, a Security Principal is fully aware of the Users it is related to. Application logic in each service is responsible for keeping this information up to date against RBAC.

Role Assignment

A Role Assignment is the process of assigning a set of Roles to a Security Principal, transitively granting all permissions related to each particular role.

Authorization

The second main process handled by Suite RBAC alongside Role Assignments is the Authorization Process, which consists on determining if a user requesting access to a resource has Effective Permissions* to do so.

This is accomplished by calculating the effective permissions for a given user and matching them against the required permissions for the specified resource.

Required permission Effective permissions Result
aims/origins/create aims/** Allowed
aims/issues/create aims/origins/* Denied

*Effective Permissions: is the resulting set of Permission Expressions from all Roles assigned to a Security Principal