FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. apetrescu
    3. Posts
    A
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 1
    • Best 1
    • Controversial 0
    • Groups 0

    Posts made by apetrescu

    • RBAC Access Control System Implementation with FusionAuth

      Hello,

      We am trying to implement an RBAC (Role-Based Access Control) system using FusionAuth. I have described our requirements and concerns below, and I would greatly appreciate your help on how to best address these needs.

      Our current setup involves Users who can have access to multiple Companies through the use of CompanyUsers. Additionally, Companies can have multiple Workspaces, and Users may have access to multiple Workspaces within the same Company or across multiple Companies.

      Based on my understanding, it seems that we cannot utilize the Tenant model for our RBAC implementation. Could you kindly confirm whether this is the case? And if my understanding is incorrect, could you please advise on how to achieve the expected data modelling using Tenants?

      Given this context, it looks like our only viable option is to use Entities. We plan to have multiple EntityTypes, such as Company, Workspace and ServiceAccount. These EntityTypes will have associated Permissions, represented as strings (e.g., "users.index," "users.create," etc.). We intend to provide entity Permissions to Users through entity Grants.

      However, there are a few issues we have identified with this approach. Firstly, FusionAuth does not currently offer entity Roles, making it challenging to efficiently assign Permissions in bulk. It seems we would need to maintain separate Role and Permission models on our end for this purpose. The same issue applies to deleting Permissions. Furthermore, if a User has multiple Roles within a Company, such as "CompanyAdmin" and "CompanyManager," both of which have the "users.create" Permission, removing the "CompanyAdmin" Role would result in the User losing the "users.create" privilege, even if they still retain the "CompanyManager" Role.

      Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

      Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

      Thank you very much for your time and we're looking forward to your suggestions.

      Kind regards,
      Andrei

      posted in Q&A
      A
      apetrescu