Implementing Access Control in Node.JS
TL;DR — Check out Casl, which supports both approach. Read on if you are curious about terminology/which one to implement.
Quick Recap: RBAC
Role-Based Access Control is a way of controlling what resources a user can create/read/update/delete given their role(s).
Example:
- Any user view any post.
- Any user can edit their own post.
- Admin user can edit anyone’s post.
- Admin user can create groups.
- Admin user can attach/remove any user to/from a group.
When working with a resource in the server, we check that user’s role attribute and a mapping to decide if they can perform actions or not.
Quick Recap: ABAC
Attribute-Based Access Control is a way of controlling what resources a user can create/read/update/delete, given attributes from the user/resource/execution context.
Example:
- Any user can view any user’s public post. (Check post’s visibility attributes)
- Any admin user can view any post, whether it is public or private.
- Any user can view their own private post. (Check post’s visibility attributes)