Introduction to Authorization & Role-Based Access Control (RBAC)
Introduction to Authorization & Role-Based Access Control (RBAC)
Last updated: 3/7/2025
Introduction to Authorization & Role-Based Access Control (RBAC)
π Introduction
In the previous lessons, we implemented authentication, which verifies who a user is.
Now, we need authorization, which controls what a user can do.
In this lesson, you'll learn:
β
What authorization is and why itβs important.
β
The difference between authentication and authorization.
β
How Role-Based Access Control (RBAC) works.
β
Different authorization strategies for APIs.
π 1. What is Authorization?
Authorization determines what actions a user is allowed to perform after being authenticated.
πΉ Example:
- A regular user can only access their own todos.
- An admin can manage all users' todos.
Without proper authorization, a user could delete another user's data, leading to security issues.
π 2. Authentication vs. Authorization
πΉ Authentication β Verifies who you are (Login)
πΉ Authorization β Verifies what you can do (Permissions)
| Feature | Authentication | Authorization |
|---|---|---|
| Purpose | Identifies a user | Controls user actions |
| Happens When? | Before authorization | After authentication |
| Example | Logging in with a password | Checking if a user can access an admin page |
| Technologies | Passwords, JWT, OAuth | RBAC, permissions |
π 3. Authorization Strategies in APIs
There are different ways to control user access:
β 1οΈβ£ Role-Based Access Control (RBAC)
πΉ Users have predefined roles (e.g., admin, user).
πΉ Permissions are assigned based on roles.
Example:
| Role | Actions Allowed |
|---|---|
| Admin | Manage all users & todos |
| User | Manage only their own todos |
β 2οΈβ£ Attribute-Based Access Control (ABAC)
πΉ Access is granted based on attributes (e.g., department, location).
πΉ More flexible than RBAC.
Example:
- A user from HR can access employee records.
- A manager can approve requests in their department.
β 3οΈβ£ Permission-Based Authorization
πΉ Instead of assigning roles, users get specific permissions.
πΉ More fine-grained control than RBAC.
Example:
| User | Permissions |
|---|---|
| Alice | can_create_todos, can_edit_own_todos |
| Bob (Admin) | can_create_todos, can_edit_all_todos, can_delete_users |
π 4. Role-Based Access Control (RBAC) in a TodoList API
We'll assign roles and protect routes in the next lesson.
πΉ Users Table (MongoDB)
{ "_id": "656a7f3bc4d91b0012a8d849", "name": "Alice", "email": "alice@example.com", "password": "hashedpassword", "role": "user" }
πΉ Admins will have access to more routes:
| Endpoint | User | Admin |
|---|---|---|
GET /todos (own todos) | β Allowed | β Allowed |
DELETE /users/:id | β Denied | β Allowed |
π― Summary
β
Authorization controls what users can do in an API.
β
RBAC assigns permissions based on roles (Admin/User).
β
Fine-grained control is possible using ABAC or permission-based access.
β Next Lesson: Implementing Role-Based Authorization in APIs
In the next lesson, weβll implement role-based authorization in our TodoList API! π