Skip to main content

Role-Based Access Control (RBAC)

Manage user roles in the Squid backend to secure access to resources

Squid has been designed with security controls at its core to fit any enterprise use case. The Squid Console defines Admin and Developer roles and permissions out of the box, but Squid also offers the ability to further build and customize Role-Based Access Control (RBAC) capabilities to fit the unique requirements of your application.

This is a robust mechanism that provides a high level of security and authorization for regulated industries that require the greatest degree of compliance to support fine-grained controls and permissions.

Setting up your RBAC

This guide explains how to use Squid's framework for a streamlined RBAC implementation.

Squid provides a built-in NoSQL database that allows you to manage user roles for your application programmatically. You can begin by using the users collection to store and manage these roles without needing to create a new collection and define as many types of roles as you need for your application.

Whenever a user is added or deleted, you should update the users collection with their role. This is done using Squid's backend code. For instance, you may want to add a webhook or an executable that can be called whenever a user state changes.

Here is a basic example of how you might do that using a TypeScript decorator, assuming your auth provider provides webhooks for user changes:

Backend code
@webhook('userAdded')
async handleUserAdded(request: WebhookRequest) {
  const apiKey = request.headers['apiKey'];
  if (apiKey !== this.secrets['AUTH_PROVIDER_API_KEY']) {
    throw Error('not authorized');
  }
  const userId = request.body.userId;
  const role = request.body.role;
  await this.squid.collection<User>('users').doc(userId).insert(
      {userId, role});
}

// TODO - Implement webhooks for user updated and deleted

Authorizing based on user roles: with your users and their roles established in the users collection, you can then decide how to authorize the requests based on these roles. This is done within the @secureCollection or other @secure functions in your backend code.

For example, if a client tries to read data from a collection, you can invoke a function decorated with @secureCollection to verify the user's role before granting access:

Backend code
@secureCollection('name_of_the_collection', 'id of the integration', 'read')
secureReadCollection(request: SecureCollectionRequest): Promise<boolean> {
    const userId = this.getUserId();
    const user = await this.squid.collection<User>('users').doc(userId).snapshot();
    const role = user.role;

    // Check the role and decide whether to authorize the request
   return role === 'admin';
}

In conclusion, Squid equips you with the necessary tools and flexibility to implement a custom RBAC system that aligns with your specific needs. The combination of a users collection, backend code, and the Client SDK puts you in control of a secure and efficient RBAC system for your applications.