RBAC
Role-based access control
Implementing a role-based access control with Kilpi is simple with the createRbacPolicy utility, which is an alternative policy constructor API.
export const rbacPolicy = createRbacPolicy( (subject: Subject | null) => { // May optionally be async, and e.g. fetch data if (!subject) return null; // Subject narrowing return { subject, roles: subject.roles, // Return user's roles as string[] } })The rbacPolicy constructor can now be used to easily create RBAC policies with strong typesafety.
export const policies = { documents: { read: rbacPolicy("user", "admin", "guest"), create: rbacPolicy("user", "admin"), delete: rbacPolicy("admin"), },}Due to how the Policy API was designed, the RBAC configuration has to be declared as “Action-to-Roles” instead of “Roles-to-Actions”.
We believe this is justified, as most authorization systems quickly run into limitations with RBAC. Let’s imagine a new requirement, where documents can be deleted by admins, but also by users if the user created the document. With this API, breaking out of the RBAC model to ABAC is trivial:
export const policies = { documents: { read: rbacPolicy("user", "admin", "guest"), create: rbacPolicy("user", "admin"), delete: rbacPolicy("admin"), delete((user, document: Document) { return user && (hasRole(user, "admin") || user.id === document.ownerId) ? grant(user) : deny() }) },}
function hasRole(subject: Subject, ...roles: Role[]) { return roles.some(role => subject.roles.includes(role)); }With an “Roles-to-Actions” API, migrating to ABAC would require a more complex refactoring.