Role Based Access Control (RBAC)

Warrant provides out-of-the-box support for implementing Role Based Access Control (RBAC) using the built-in user, role, and permission object types.

Users, roles, and permissions can be created and managed from the Warrant Dashboard or via the API. This quickstart will walk you through setting up your roles & permissions and adding permissions checks to your application.

1. Create Permissions

First, we'll create our application's permissions in Warrant. You can create permissions once manually (if the set of permissions for your application is finite) and/or programmatically from your application code using the Warrant SDK. To create a permission you need to provide it a unique string identifier:

CLI

Create permissions

warrant create permission:view-dashboards
warrant create permission:create-dashboards
warrant create permission:edit-dashboards
warrant create permission:delete-dashboards

Go

Create permissions

client.CreatePermission(warrant.Permission{
    PermissionId: "view-dashboards",
})
client.CreatePermission(warrant.Permission{
    PermissionId: "create-dashboards",
})
client.CreatePermission(warrant.Permission{
    PermissionId: "edit-dashboards",
})
client.CreatePermission(warrant.Permission{
    PermissionId: "delete-dashboards",
})

Java

Create permissions

client.createPermission(new Permission("view-dashboards"));
client.createPermission(new Permission("create-dashboards"));
client.createPermission(new Permission("edit-dashboards"));
client.createPermission(new Permission("delete-dashboards"));

Node.js

Create permissions

await warrantClient.Permission.create({ permissionId: "view-dashboards" });
await warrantClient.Permission.create({ permissionId: "create-dashboards" });
await warrantClient.Permission.create({ permissionId: "edit-dashboards" });
await warrantClient.Permission.create({ permissionId: "delete-dashboards" });

PHP

Create permissions

$warrant->createPermission(new \Warrant\Permission("view-dashboards"));
$warrant->createPermission(new \Warrant\Permission("create-dashboards"));
$warrant->createPermission(new \Warrant\Permission("edit-dashboards"));
$warrant->createPermission(new \Warrant\Permission("delete-dashboards"));

Python

Create permissions

client.create_permission("view-dashboards")
client.create_permission("create-dashboards")
client.create_permission("edit-dashboards")
client.create_permission("delete-dashboards")

Ruby

Create permissions

Warrant::Permission.create(permission_id: "view-dashboards")
Warrant::Permission.create(permission_id: "create-dashboards")
Warrant::Permission.create(permission_id: "edit-dashboards")
Warrant::Permission.create(permission_id: "delete-dashboards")

2. Create Roles

Next, we'll create our application's roles. Ideally, the set of roles within an application should be finite and is usually well-defined upfront and so roles should only have to be created once (or infrequently). Like permissions, to create a role you need to provide it a unique string identifier:

CLI

Create roles

warrant create role:admin
warrant create role:basic

Go

Create roles

client.CreateRole(warrant.Role{
    RoleId: "admin",
})
client.CreateRole(warrant.Role{
    RoleId: "basic",
})

Java

Create roles

client.createRole(new Role("admin"));
client.createRole(new Role("basic"));

Node.js

Create roles

await warrantClient.Role.create({ roleId: "admin" });
await warrantClient.Role.create({ roleId: "basic" });

PHP

Create roles

$warrant->createRole(new \Warrant\Role("admin"));
$warrant->createRole(new \Warrant\Role("basic"));

Python

Create roles

client.create_role("admin")
client.create_role("basic")

Ruby

Create roles

Warrant::Role.create(role_id: "admin")
Warrant::Role.create(role_id: "basic")

3. Assign Permissions to Roles

The roles we created aren't useful until we assign permissions to them. Let's assign the view-dashboards permission to the basic role and all four permissions to the admin role.

CLI

Assign permissions to roles

warrant assign role:basic member permission:view-dashboards

warrant assign role:admin member permission:view-dashboards
warrant assign role:admin member permission:create-dashboards
warrant assign role:admin member permission:edit-dashboards
warrant assign role:admin member permission:delete-dashboards

Go

Assign permissions to roles

client.AssignPermissionToRole("basic", "view-dashboards")

client.AssignPermissionToRole("admin", "view-dashboards")
client.AssignPermissionToRole("admin", "create-dashboards")
client.AssignPermissionToRole("admin", "edit-dashboards")
client.AssignPermissionToRole("admin", "delete-dashboards")

Java

Assign permissions to roles

client.assignPermissionToRole("basic", "view-dashboards");

client.assignPermissionToRole("admin", "view-dashboards");
client.assignPermissionToRole("admin", "create-dashboards");
client.assignPermissionToRole("admin", "edit-dashboards");
client.assignPermissionToRole("admin", "delete-dashboards");

Node.js

Assign permissions to roles

await warrantClient.Permission.assignPermissionToRole(
  "basic",
  "view-dashboards"
);

await warrantClient.Permission.assignPermissionToRole(
  "admin",
  "view-dashboards"
);
await warrantClient.Permission.assignPermissionToRole(
  "admin",
  "create-dashboards"
);
await warrantClient.Permission.assignPermissionToRole(
  "admin",
  "edit-dashboards"
);
await warrantClient.Permission.assignPermissionToRole(
  "admin",
  "delete-dashboards"
);

PHP

Assign permissions to roles

$warrant->assignPermissionToRole("basic", "view-dashboards");

$warrant->assignPermissionToRole("admin", "view-dashboards");
$warrant->assignPermissionToRole("admin", "create-dashboards");
$warrant->assignPermissionToRole("admin", "edit-dashboards");
$warrant->assignPermissionToRole("admin", "delete-dashboards");

Python

Assign permissions to roles

client.assign_permission_to_role("basic", "view-dashboards")

client.assign_permission_to_role("admin", "view-dashboards")
client.assign_permission_to_role("admin", "create-dashboards")
client.assign_permission_to_role("admin", "edit-dashboards")
client.assign_permission_to_role("admin", "delete-dashboards")

Ruby

Assign permissions to roles

# Class method
Warrant::Permission.assign_to_role("basic", "view-dashboards")

# Instance method
role = Warrant::Role.get("admin")
role.assign_permission("view-dashboards")
role.assign_permission("create-dashboards")
role.assign_permission("edit-dashboards")
role.assign_permission("delete-dashboards")

4. Assign Roles to Users

Now that our roles are assigned permissions, we can assign them to users. Users can be assigned multiple roles. Let's create two users and assign each of them one of the roles we created.

CLI

Assign roles to users

warrant assign user:123 member role:admin
warrant assign user:456 member role:basic

Go

Assign roles to users

adminUser := client.CreateUser(warrant.User{})
basicUser := client.CreateUser(warrant.User{})

client.AssignRoleToUser(adminUser.UserId, "admin")
client.AssignRoleToUser(basicUser.UserId, "basic")

Java

Assign roles to users

User adminUser = client.createUser();
User basicUser = client.createUser();

client.assignRoleToUser(adminUser.getUserId(), "admin");
client.assignRoleToUser(basicUser.getUserId(), "basic");

Node.js

Assign roles to users

const adminUser = await warrantClient.User.create({
  meta: {
    email: "admin.user@my-customer.com",
  }
});
const basicUser = await warrantClient.User.create({
  meta: {
    email: "basic.user@my-customer.com",
  }
});

await warrantClient.Role.assignRoleToUser(adminUser.userId, "admin");
await warrantClient.Role.assignRoleToUser(basicUser.userId, "basic");

PHP

Assign roles to users

$admin_user = $warrant->createUser(new \Warrant\User("admin.user", "admin.user@my-customer.com"));
$basic_user = $warrant->createUser(new \Warrant\User("basic.user", "basic.user@my-customer.com"));

$warrant->assignRoleToUser("admin.user", "admin");
$warrant->assignRoleToUser("basic.user", "basic");

Python

Assign roles to users

admin_user = client.create_user("admin.user")
basic_user = client.create_user("basic.user")

client.assign_role_to_user(admin_user.user_id, "admin")
client.assign_role_to_user(basic_user.user_id, "basic")

Ruby

Assign roles to users

# Class method
admin_user = Warrant::User.create(meta: { email: "admin.user@my-customer.com" })
Warrant::Role.assign_to_user(admin_user.user_id, "admin")

# Instance method
basic_user = Warrant::User.create(meta: { email: "basic.user@my-customer.com" })
basic_user.assign_role("basic")

6. Assign Permissions to Users (optional)

Permissions can also be directly assigned to users. Let's assign edit-dashboards to a user.

CLI

Assign permissions to users

warrant assign user:123 member permission:edit-dashboards

Go

Assign permissions to users

client.AssignPermissionToUser(basicUser.UserId, "edit-dashboards")

Java

Assign permissions to users

client.assignPermissionToUser(basicUser.getUserId(), "edit-dashboards");

Node.js

Assign permissions to users

await warrantClient.Permission.assignPermissionToUser(
  basicUser.userId,
  "edit-dashboards"
);

PHP

Assign permissions to users

$warrant->assignPermissionToUser("basic.user", "edit-dashboards");

Python

Assign permissions to users

client.assign_permission_to_user(basic_user.user_id, "edit-dashboards")

Ruby

Assign permissions to users

# Class method
Warrant::Permission.assign_to_user(basic_user.user_id, "edit-dashboards")

# Instance method
basic_user.assign_permission("edit-dashboards")

7. Check for Permissions in your Application

Once our roles and permissions are defined and assigned amongst users, we can start to check permissions on specific users as such:

CLI

Check for permissions

# Returns true
warrant check user:123 member permission:delete-dashboards

# Return false
warrant check user:456 member permission:delete-dashboards

Go

Check for permissions

// Returns true
client.HasPermission(warrant.PermissionCheckParams{
    PermissionId: "delete-dashboards",
    UserId: adminUser.UserId,
})

// Return false
client.HasPermission(warrant.PermissionCheckParams{
    PermissionId: "delete-dashboards",
    UserId: basicUser.UserId,
})

Java

Check for permissions

// Returns true
client.hasPermission(new PermissionCheck("delete-dashboards", adminUser.getUserId()));

// Returns false
client.hasPermission(new PermissionCheck("delete-dashboards", basicUser.getUserId()));

Node.js

Check for permissions

// Returns true
await warrantClient.Authorization.hasPermission({
  permissionId: "delete-dashboards",
  subject: adminUser,
});

// Returns false
await warrantClient.Authorization.hasPermission({
  permissionId: "delete-dashboards",
  subject: basicUser,
});

PHP

Check for permissions

// Returns true
$warrant->hasPermission(new \Warrant\PermissionCheck("delete-dashboards", "admin.user"));

// Returns false
$warrant->hasPermission(new \Warrant\PermissionCheck("delete-dashboards", "basic.user"));

Python

Check for permissions

# Returns true
client.has_permission(PermissionCheck("delete-dashboards", admin_user.user_id))

# Returns false
client.has_permission(PermissionCheck("delete-dashboards", basic_user.user_id))

Ruby

Check for permissions

# Returns true
Warrant::Warrant.user_has_permission?(permission_id: "delete-dashboards", relation: "member", user_id: admin_user.user_id)    # Class method

# Returns false
basic_user.has_permission?("delete-dashboards")     # Instance method

Self Service RBAC

Following this quickstart guide, you should be able to setup RBAC for your application. Particularly for B2B applications, as your application continues to mature, your customers might ask you for the ability to manage their team's roles and permissions themselves.

The Warrant Self Service Dashboard is a Warrant-hosted page you can embed into your application to allow your users to manage their own organization's roles and permissions. See the Self Service RBAC guide for more details.