🛡️

Permission & Role System (RBAC)

Control who can access what — Role-Based Access Control for web and app systems with practical examples.

🔄 RBAC Authorization Flow

👤UserMakes request🔐AuthMiddlewareVerify JWT TokenExtract Role🛡️PermissionGuardCheck role vs resourceCheck action allowed✅ ALLOWAccess resource❌ DENY403 Forbidden🗄️Role & PermissionDB / ConfigRole → Permissions → Resources → Actions (CRUD)

📋 RBAC Flow Step by Step

1
👤User
Make HTTP request to a protected endpoint (e.g., GET /api/orders)
2
🔐Auth Middleware
Extract JWT from Authorization header → Verify signature → Decode payload
3
🎫Auth Middleware
Extract user_id + role from JWT payload → Attach to request context
4
🛡️Permission Guard
Check: does this role have permission to access this resource + action?
5
🗄️Permission Guard
Look up role → permissions in DB/config (cached in Redis for speed)
6
⚖️Permission Guard
If ALLOWED → pass request to controller. If DENIED → return 403 Forbidden
7
🔒Controller
Additional data-level filter: WHERE owner_id = user.id (row-level security)
8
🗄️Database
Return only authorized records (never return all data regardless of UI)
9
Response
Send filtered response → Frontend hides UI elements based on role too

📋 Permission Matrix Examples

Roleproductsordersusersreportssettings
Super AdminCRUDCRUDCRUDCRUDCRUD
Store ManagerCRUDCRUDReadReadRead
StaffRead/UpdateRead/Update
CustomerReadOwn onlyOwn profile

🧠 Key Concepts in Access Control

🏷️

RBAC

Role-Based Access Control. Assign permissions to roles, assign roles to users. Simple, scalable, easy to audit.

🎯

ABAC

Attribute-Based Access Control. More granular than RBAC. Can control based on time, location, department, resource attributes.

🔒

Row-Level Security

Filter data at the database level. Customers only see their own orders even if they call the same API endpoint.

📋

Permission Matrix

A table mapping roles to resources to actions (CRUD). Easy to review and update who can do what.

⚖️

Principle of Least Privilege

Give users only the minimum access they need for their job. Reduces risk of data breaches.

📜

Audit Logging

Log every sensitive action: who did what, when, from where. Essential for compliance and incident investigation.

Need a secure permission system? 🛡️

We design RBAC systems with proper role hierarchy, row-level security, and audit logging.

← Back to LearnContact Us

Address

TNGroup soft thailand Mueang District, Maha Sarakham

Phone

093-3381817
098-7799609

Email

Tngroupsoft@gmail.com

Social

Facebook TNGroup Soft Thailand

Google TNGroup Soft Thailand

Youtube UF480STUDIO

Learn

All Rights Reserved by Tngroup soft thailand