RBAC and user entitlements in Frontegg
Designed to provide fine-grained authorization, speed of deployment, and flexibility, Frontegg's variation of RBAC provides powerful authorization based on user-entitlements. The engine is divided into four distinctive areas that control your user's access to resources, and adapts RBAC (Role-based Access Control) principles to advanced requirements such as roles, features, and plans. See this topic's last section for more information.
What's RBAC?
Role-Based Access Control (RBAC) has become quite popular in controlling user access to resources. At its core, it is a security engine that restricts access to resources based on the roles of individual users within an organization. This model assigns permissions to roles rather than to individual users— ensuring that users can only access the relevant information necessary to perform their job functions.
Core principles of RBAC
- Role Assignment: Users must be assigned a role to exercise permissions.
- Role Authorization: A user's active role must be authorized.
- Permission Authorization: Users can only exercise permissions that are associated with their active role.
Types of RBAC
RBAC is used in multiple ways, to comply with various organizational structures.
- Core RBAC: The basic model includes role assignment, role authorization, and permission authorization.
- Hierarchical RBAC: Works with role-hierarchy where roles inherit permissions from other roles, allowing for more complex organizational structures.
- Constrained RBAC: Introduces separation of duties to prevent conflicts of interest by ensuring that no single user can perform conflicting tasks.
RBAC in Frontegg
At Frontegg, RBAC is integrated into our Entitlements engine, offering a more sophisticated form of RBAC, incorporating additional parameters like Feature Flags and Plans (subscription levels) to make more nuanced access decisions. This approach aims to provide a holistic solution for access control needs, combining elements of both RBAC and ABAC (attribute-based access control).
In Frontegg, roles and permissions are fundamental components for managing user access and ensuring security within your application. Roles are essentially collections of Permissions that define what actions a user can perform. Each user can have one or more roles, and these roles determine their access to various parts of the application.
Permissions are specific actions that users can perform, such as reading, writing, or deleting data. These permissions are linked to roles, meaning that when a user is assigned a role, they automatically inherit all the permissions associated with that role. For example, an Admin role might include permissions to manage users, edit settings, and view audit logs, while a Read-Only role might only allow viewing data without making any changes.