Why Flat Permission Systems Fail
Small applications often use simple boolean flags — isAdmin: true. As products grow, these break down. Marketing managers need to publish content but not manage billing. Customer support needs to read orders but not issue refunds. A proper Role-Based Access Control (RBAC) system handles this gracefully.
The Three RBAC Components
- Subjects: Users or service accounts that need access.
- Resources: Data or API endpoints being protected.
- Permissions: Actions allowed on resources (create, read, update, delete).
// Example RBAC middleware check
function requirePermission(resource, action) {
return (req, res, next) => {
const userRole = req.user.role;
if (permissions[userRole]?.[resource]?.includes(action)) {
return next();
}
return res.status(403).json({ error: "Forbidden" });
};
}
Attribute-Based Access Control (ABAC)
For complex scenarios, extend RBAC with attribute-based rules — a user can edit a document only if they created it, or a manager can approve requests only from their own department.