Role-Based Access Control (RBAC)

About Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a security model used to manage and restrict access to resources based on setting roles for individual users.

Roles

RBAC simplifies the management of permissions by grouping access rights into roles, which are then assigned to users.

Adding different roles help ensure that users only have the minimum permissions needed to perform their jobs, enhancing security and reducing the risk of unauthorized access.

Tenants / Organizations

Userfront allows you to sub-divide your application into tenants, and this enables you to further scope your roles for fine-grained access management.

A user can have roles in zero, one, or many different tenants.

Tenants come in 3 flavors:

Tenants can also be nested multiple levels deep. This is referred to as nested multi-tenancy.

RBAC Requirements

To use roles and tenants on Userfront, create and manage your roles, tenants, and users from the dashboard or API.

Each end user also has an authorization object that contains the tenants and roles that they can access.

This authorization object is included in their JWT access token by default, and can also be obtained via the /self API endpoint.

{
  "email": "bgates@example.com",
  ...
  "authorization": {
    "wbmxvmvn": {
      "tenantId": "wbmxvmvn",
      "name": "Organization A",
      "roles": ["contributor","support"]
    },
    "qbjxdgxb": {
      "tenantId": "qbjxdgxb",
      "name": "Sub-org B1",
      "roles": ["admin"]
    }
  }
}

Auto role assignment

You can configure Userfront to auto-create a tenant and assign a role for each new user that signs up for your service. For example, new users can receive the admin role within their own individual tenant upon registration.

RBAC Handling

Userfront offers two primary ways to handle RBAC: JWT authorization and API authorization.

With JWT authorization, your users’ authorization object is added to their JWT access token, which can be sent to your server for verification.

With API authorization, your system can make an API request to Userfront to receive real-time information about a user’s access levels.

You can use JWT authorization or API authorization, or can use them both in conjunction as part of step-up authorization for certain actions.

JWT authorization

With JWT authorization, an end user’s authorization object is encoded within their JWT access token, which is returned to them upon login.

Subsequent requests to your service will include this JWT access token, allowing your system to know who the user is and what they are allowed to do.

By default, the JWT access token payload will contain the authorization object for each user:

{
  "userId": 3,
  "userUuid": "9ea570e3-e951-4a45-bda1-ff0317204c89",
  "email": "bgates@example.com",
  ...
  "authorization": {
    "wbmxvmvn": {
      "tenantId": "wbmxvmvn",
      "aliasId": "abc-123",
      "name": "Organization A",
      "roles": ["contributor","support"]
    },
    "qbjxdgxb": {
      "tenantId": "qbjxdgxb",
      "aliasId": "def-456",
      "name": "Sub-org B1",
      "roles": ["admin"]
    }
  },
  "authentication": {
    "firstFactor": { "strategy": "password", "channel": "email" },
    "secondFactor": { "strategy": "totp", "channel": "authenticator" }
  },
}

API authorization

With API authorization, an end user’s authorization object can be retrieved any time using either their JWT access token, which is returned to them upon login, or with an API key on your server.

By retrieving authorization information directly from the Userfront API, you can ensure that your system knows the latest information about what the user can access, instead of relying on their JWT access token, which could be slightly out of date.

Your system can make requests to the /self API endpoint with the user’s JWT access token, or to the Read user API endpoint with an API key. In either case, the response will contain information about the user as well as their authorization object:

{
  "userId": 3,
  "userUuid": "9ea570e3-e951-4a45-bda1-ff0317204c89",
  "email": "bgates@example.com",
  ...
  "authorization": {
    "wbmxvmvn": {
      "tenantId": "wbmxvmvn",
      "aliasId": "abc-123",
      "name": "Organization A",
      "roles": ["contributor","support"]
    },
    "qbjxdgxb": {
      "tenantId": "qbjxdgxb",
      "aliasId": "def-456",
      "name": "Sub-org B1",
      "roles": ["admin"]
    }
  },
  "authentication": {
    "firstFactors": [{ "strategy": "password", "channel": "email" }],
    "secondFactors": [{ "strategy": "totp", "channel": "authenticator" }]
  },
}

Step-up authorization

You can also use JWT authorization and API authorization together as part of step-up authorization.

For some actions on your system, such as viewing basic information, you can read from the authorization object from the end user’s JWT access token.

For time-sensitive actions where you want the latest authorization information for a user, such as deleting or editing a sensitive resource, your system can “step up” to API authorization by making a realtime request for authorization details before performing the action in question.

Step-up authorization allows your system to make fewer requests and provides your end users with faster responses, while still allowing you to access realtime authorization information for certain actions.

RBAC Documentation

Roles

• Create and manage roles
• ‍Assign a global role to a user
• Assign a role to a user (tenant-level)
• Invite a user to a global role
• Invite a user to a role (tenant-level)
• Search for users by role