Rails. Role Based Access Control

Hi @derek1,

Welcome to the Community!

RBAC is possible with a regular web app or SPA+API, it doesn’t matter.

It sounds like you may have looked at the examples where roles are associated with permissions in an API, but you don’t have to assign specific permissions to roles.

Here is an example of how you can use roles in a regular web app:

  • A user (who you have already assigned a role) authenticates/logs in through your Auth0 hosted login page
  • Rules are run after successful authentication, adding the user’s existing roles to the ID and Access Tokens
  • The tokens are returned to your rails server, your server decodes and verifies the token, then looks at the roles claim assigned in the rule. This allows the user to perform role-specific actions, based on the claims in the token. (e.g. an accountant role lets the user read/update the accounts table in your DB)

Let me know if that makes sense,
Dan