Role-Based Access Control (RBAC) in Node

What is RBAC?

Roles, also known as “role-based access control,” are a common way to simplify authorization logic for both engineers and users.

role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has.

permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to read repositories.

There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:

Oso Cloud is an authorization service for building RBAC in Node.

  • Oso Cloud is fully-managed and deployed across multiple regions for low-latency and high availability
  • Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC).
  • You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates that data to make authorization decisions at runtime.
  • Oso can provide yes/no authorization decisions, as well as filter lists of data.

Express RBAC in Node with Oso Cloud.

To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller.

// This will throw an exception if the current user does not
// have access to the Repository that they're trying to read
await oso.authorize(User.getCurrentUser(), "read", Repository.getByName(name));

You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.

In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.

actor User {}

resource Organization {
  roles = ["owner"];

resource Repository {
  permissions = ["read", "push"];
  roles = ["contributor", "maintainer"];
  relations = { parent: Organization };

  # An actor has the "read" permission if they have the "contributor" role.
  "read" if "contributor";
  # An actor has the "push" permission if they have the "maintainer" role.
  "push" if "maintainer";

  # An actor has the "contributor" role if they have the "maintainer" role.
  "contributor" if "maintainer";

  # An actor has the "maintainer" role if they have the "owner" role on the "parent" Organization.
  "maintainer" if "owner" on "parent";

For a detailed guide on RBAC, read our technology-agnostic Authorization Academy guide to RBAC.

Oso isn’t limited to RBAC. It comes with primitives for other common access control models, like Relationship-based authorization, or ReBAC. For a guide on other authorization patterns, take a look at our guide on authorization modeling covering roles, hierarchies, groups, and other patterns.

Filter Data Based on a User’s Role.

Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.

Here's that in the Node app again:

repos = await oso.list(User.getCurrentUser(), "read", Repository)

How to get started with RBAC in Node.

Create an Oso Cloud account, then try the guide on adding adding Oso Cloud to your Node app with RBAC.

Feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Node, Oso Cloud, or just authorization in general.

Learn more about RBAC concepts, architecture, and best practices.

We've written an Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:

  • How to architect your app for RBAC.
  • Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – like when to use them and how to implement them.
  • Where to enforce authorization at various layers in your app.

Then join the community of thousands of developers in the Oso Slack (including many Node devs!) We'd love to talk about what you're working on and answer any questions you have.

Get started with Oso Cloud
Looking for Oso On-Premises? You can also try the open source Oso Library.

Level up your authorization knowledge

Explore our docs

Access guides, example policies, and authorization best practies.
Read Oso docs

Read Authorization Academy

A series of technical guides for building application authorization.
See all chapters

Learn about Oso Cloud

Authorization for two services or thousands.
Dive into Oso Cloud