Learn about RBAC and ABAC and how to set up AccessControl for authorization in server-side and client-side applications.
System security is one of the key considerations when building software, and there are various mechanisms used in ensuring a software system is secure. The common ones are role-based access control (RBAC) and attribute-based access control (ABAC).
AccessControl, a Node.js module, can be used to implement these two access control mechanisms. Before diving into how AccessControl works, let’s briefly explain these two mechanisms and how they work.
Role-based access control, also known as role-based security, is a mechanism that restricts system access to users using their roles and privileges and permissions.
Within an application, roles are created for various user types (e.g., writer or reader). The permission to perform certain actions or access application resources are assigned to specific roles. For instance, in a writing application, a writer can be granted the permission to create, update, read, and delete a post, whereas a reader can be restricted to only being able to read a post.
When using RBAC, there are three guiding rules:
A user can have multiple roles and a role can have multiple permissions. RBAC also supports role hierarchy where a high-level role inherits the permissions of its sub roles. Additional constraints may be applied to place restrictive rule on the potential inheritance of permissions from another role. Some examples of constraints are:
Attribute-based access control, also known as policy-based access control for IAM, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes, such as user attributes, resource attributes, object, and environment attributes.
ABAC can be used to complement RBAC in that in addition to roles and permissions, a policy can be used to define what attribute is allowed or not allowed.
AccessControl
, a Node.js module, merges the best features of RBAC and ABAC. It implements RBAC basics and also focuses on resource and action attributes. For a full list of the module’s features, view the documentation.
With npm: npm i accesscontrol --save
.
With Yarn: yarn add accesscontrol
Roles serve as containers for permissions. They are assigned to users depending on their responsibility. You can create and define roles simply by calling .grant(<role>)
or .deny(<role>)
methods on an AccessControl
instance.
import { AccessControl } from 'accesscontrol';
const ac = new AccessControl();
ac.grant('reader');
Roles can extend other roles. You can extend a role by calling .extend
on an existing role.
ac.grant('reader').extend('writer');
#node #javascript #web-development #programming #developer