Implement RBAC using Tesseral
This article explains how you can add RBAC to your app using Tesseral.
Sign up for Tesseral
If you haven’t already, sign up for Tesseral at console.tesseral.com and follow the Quickstart Guide.
Define Actions
Go to your Project’s Access Control settings. You will now define a set of Actions. Each Action represents a single conceptual operation your Users can perform in your app. Actions have a name and a description.
An Action’s name is the unique identifier for the Action. Later, when you add permission checks to your backend, you will reference the Action by its name.
An Action’s description is a human-readable description of the Action. It will be displayed to your Users to explain what the Action does.
You can create as many Actions as you want, and you can add more Actions later as your app develops further.
By way of example, your set of Actions might look like:
Define Roles
Once you have defined Actions, you can define Roles. A Role is a set of Actions, and Users can be assigned to Roles. Users can be assigned to multiple Roles.
In the previous step, you defined Actions. Each Action represents a fine-grained operation Now, you will define Roles. A Role is a set of Actions.
To define a new Role, click on “Create Role” at the top right of the “Roles” section. Give each Role a User-facing Display Name, then add Actions to the Role. You can add as many Actions as you want.
Using the same example from the previous step, you might define the following Roles:
Assign Users to Roles
Once you have defined Roles, you can assign Users to Roles. You can assign as many Users as you want to a Role, and you can assign a User to multiple Roles.
Your customers can assign their own Users to Roles, or you can assign Users to Roles yourself from the Tesseral Console.
To assign a User to a Role from the Tesseral Console, go to the Organizations page in the Tesseral Console. Find the User’s Organization and then navigate to the User’s Role tab.
From this User Roles tab, you can assign or unassign the User to or from Roles.
Add permission checks to your backend
Now that you’ve defined Roles and Users, you can add permission checks to your backend. Use the Tesseral SDK for your backend language to enforce permission checks in your product.
Express.js
Flask
FastAPI
Django
Go
Axum
Next.js
If you haven’t already, follow the Express.js Quickstart Guide.
Any time you need to check whether the current User is allowed to perform an
action, use hasPermission
:
Replace acme.widgets.delete
with the name of one of the Actions you defined
previously. Add hasPermission
checks everywhere in your backend where you
need to enforce permissions.
(Optional) Add permission checks to your frontend
Adding permission checks to your frontend is optional. If you don’t want to enforce permissions in your frontend, you can skip this step. The advantage of adding permission checks to your frontend is that you can display a more user-friendly error message to your Users if they are not allowed to perform an action.
You can add permission checks to your frontend using the Tesseral SDK for your frontend language.
React
Svelte
Next.js
If you haven’t already, follow the React Quickstart Guide.
Any time you want to check for permissions from your frontend, call
useHasPermission
:
Replace acme.widgets.delete
with the name of one of the Actions you defined
previously. Add useHasPermission
checks everywhere in your frontend where you
need to enforce permissions.
Advanced Usage
Custom Roles
Once you’ve implemented RBAC, you do not need to make any code changes to support custom Roles.
In the previous steps, you defined Roles available to all Organizations in your Project. If an Organization wants to define their own Roles, you can enable Custom Roles for that Organization from the Tesseral Console.
After you have enabled Custom Roles for an Organization, your customers can create their own Roles, or you can create those custom Roles yourself from the Tesseral Console.
To enable Custom Roles for an Organization, go to the Organizations page in the Tesseral Console. Under the Organization’s Roles tab, enable Custom Roles.
To create a Custom Role for an Organization, go to that Organization’s Roles tab and click on “Create Role”. Custom Roles work just like ordinary Roles, except they only exist for a single Organization.
You do not need to change your backend or frontend permission checks to handle Custom Roles.
Assigning API Keys to Roles
If you’re using API Keys, you don’t need to make any code changes to have RBAC support for API Keys.
If you’re using API Keys, you can assign API Keys to Roles. This allows your customers to define API Keys with specific permissions.
After you’ve enabled API Keys for your Project, your customers can assign their own API Keys to Roles, or you can assign API Keys to Roles yourself from the Tesseral Console.
To assign an API Key to a Role from the Tesseral Console, go to the Organizations page in the Tesseral Console. Find the Organization the API Key belongs to, and then navigate to the API Key’s Role tab.