0

I need to implement RBAC in a project I'm working on, and I'm fairly new to the concept. I am trying to figure out the best way to implement it.

The most common approach seems to be to create roles and permissions and link them together through the code, I have explored a couple of libraries to do it such as CASL and accesscontrol. But it seems to me that it lacks the ability to quickly add and remove permissions and roles.

The second approach is to add tables in the database and check with each request the permissions a given user has before authorisation. This seems like a waste, as for each request there's an extra call to the database. Or maybe I could store the permissions in the headers, but this approach would expose the permissions to the client.

What is the most suitable approach?

Christophe
  • 74,672
  • 10
  • 115
  • 187
user3353167
  • 149
  • 4

1 Answers1

2

Do you need the set of roles and the mappings to be controlled by a user or is it something that can be fixed at compile time? If they need to be configurable, then you'll need to store them in some persistent data store like a database.

If they are configurable and stored in a database, what level of staleness is acceptable? If no staleness whatsoever is acceptable, then yes, you would need to query for the role-permission mappings on every request. If some staleness is acceptable, caching can help you reduce the performance cost. There are a few different ways that you could implement caching:

  • The role-permission mappings are bound for a specific user at login time and cached for the duration of the session. This approach mainly makes sense for applications where the role-permission mappings are changed infrequently and user usually have short sessions.
  • The role-permission mappings can be cached for a certain amount of time (e.g. five minutes) and then queried from the database once the cached values are expired. This approach makes more sense for cases where the role-permission mappings change frequently or users have long session durations.
  • If you have an eventing infrastructure that supports it, you could invalidate/repopulate the permissions mappings in the cache whenever an administrator changes the permissions through the UI.

I have used most of these approaches on various projects in the past. Choosing the appropriate one for your project is a matter of balancing the complexity of the implementation with the security requirements of how you expect the system to be used.

Dennis Smith
  • 56
  • 3
  • I'm not expecting the roles or permissions to change very often, nor even often for that matter. I'm wondering whether perhaps I could init the perms and roles in the database, and keep them in memory for the whole life of the service. I could refresh them only when a new role or permission is being added / removed. Any thoughts on that? – user3353167 Jan 25 '22 at 20:51
  • 1
    Assuming that you have a way to refresh the data when roles/permissions change, that seems reasonable. In nearly every system I've worked on the roles/permissions change very infrequently (maybe a couple times a year), so there has always been some sort of caching. – Dennis Smith Jan 26 '22 at 01:32
  • Thanks Dennis, you really helped getting my head around it – user3353167 Jan 26 '22 at 10:13