FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    RBAC Access Control System Implementation with FusionAuth

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    446
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apetrescu
      last edited by

      Hello,

      We am trying to implement an RBAC (Role-Based Access Control) system using FusionAuth. I have described our requirements and concerns below, and I would greatly appreciate your help on how to best address these needs.

      Our current setup involves Users who can have access to multiple Companies through the use of CompanyUsers. Additionally, Companies can have multiple Workspaces, and Users may have access to multiple Workspaces within the same Company or across multiple Companies.

      Based on my understanding, it seems that we cannot utilize the Tenant model for our RBAC implementation. Could you kindly confirm whether this is the case? And if my understanding is incorrect, could you please advise on how to achieve the expected data modelling using Tenants?

      Given this context, it looks like our only viable option is to use Entities. We plan to have multiple EntityTypes, such as Company, Workspace and ServiceAccount. These EntityTypes will have associated Permissions, represented as strings (e.g., "users.index," "users.create," etc.). We intend to provide entity Permissions to Users through entity Grants.

      However, there are a few issues we have identified with this approach. Firstly, FusionAuth does not currently offer entity Roles, making it challenging to efficiently assign Permissions in bulk. It seems we would need to maintain separate Role and Permission models on our end for this purpose. The same issue applies to deleting Permissions. Furthermore, if a User has multiple Roles within a Company, such as "CompanyAdmin" and "CompanyManager," both of which have the "users.create" Permission, removing the "CompanyAdmin" Role would result in the User losing the "users.create" privilege, even if they still retain the "CompanyManager" Role.

      Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

      Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

      Thank you very much for your time and we're looking forward to your suggestions.

      Kind regards,
      Andrei

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @apetrescu
        last edited by

        @apetrescu Sounds like a fun problem!

        You are correct that entities are the best approach for this while staying entirely within FusionAuth. We don't have a lot of guidance on best practices around entities that I can share, unfortunately.

        Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

        You might think about making an intermediate entity such as CompanyAbcAdminRole or CompanyAbcManagerRole, which would have permissions for admin or manager actions on CompanyAbc. Then you could atomically grant or remove CompanyAbcAdminRole to a user while leaving CompanyAbcManagerRole assigned.

        Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

        Why would you need to do so? Is your user going to be accessing all the Companies at one time? In this case, I might offer the user the ability to choose a Company to 'enter' and create a JWT based on that action. You'd create an Company 'chooser' based on their grants to allow them to pick between the companies they know about.

        If you'd like to discuss this more, consider talking to our sales engineers.

        Another option is to, as you said, not use FusionAuth entities. You could instead use FusionAuth for authentication, then feed the resulting JWT into a solution like permit.io, cerbos or oso (or something home grown). You'd use that other system as the authorization solution.

        Hope this helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post