lundi 23 mars 2020

How to setup Role-Based Access Control for web app with multiple resources/namespaces?

I work in NodeJS with ExpressJS and I'm rather new to the concept of RBAC and I'm trying to wrap my head around one specific scenario. I've been researching this for a while by reviewing online guides and been unable to figure one detail out.

Consider this scenario: There is a company that has a web app it sells as a service to clients. The web app serves BOTH clients and employees of the company. Clients can only view their account:

/app/clientAccounts/:id/dashboard/

whereas employees of the company can view multiple clients (but maybe not ALL clients):

/app/clientAccounts/1/dashboard/
/app/clientAccounts/2/dashboard/
etc..

Users can be either employees or clients, the only data the user object contains is email, password, and roles. The client account data is stored separately.

My understanding is the the ClientAccount ID route represents a 'resource' or 'namespace'. Is this correct?

My main question is: how does one address Employees viewing a subset of client accounts? I believe I understand how Roles and Permissions can be defined and stored in memory. However, this selective assignment of resource access seems like it requires a DB to be managed.

Finally, if my proposed scenario is illogical or a bad idea because of my lack of knowledge, please let me know.

Thanks!

Aucun commentaire:

Enregistrer un commentaire