Role Based Access Control (RBAC)
Warrant provides out-of-the-box support for implementing Role Based Access Control (RBAC) using the built-in user, role, and permission object types.
Users, roles, and permissions can be created and managed from the Warrant Dashboard or via the API. This quickstart will walk you through setting up your roles & permissions and adding permissions checks to your application.
1. Create Your Users in Warrant
The first step is to make sure new users in your application are created in Warrant so they can be assigned roles and permissions. To do this, add the following code to your application's sign-up and login flows:
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
// 1. Your application's sign-up / login logic
// 2. Create user in Warrant
newUser, err := client.CreateUser(warrant.User{
UserId: user.Id,
})
if err != nil {
// handle error
}
// 3. Finish sign-up / login logic
// 1. Your application's sign-up / login logic
// 2. Create user in Warrant
try {
User warrantUser = client.createUser(new User(user.getId()));
} catch (WarrantException e) {
// Handle error
}
// 3. Finish sign-up / login logic
// 1. Your application's sign-up / login logic
// 2. Create user in Warrant
warrantClient
.createUser({ userId: user.id, email: user.email })
.then((warrantUser) => console.log(warrantUser))
.catch((error) => console.log(error));
// 3. Finish sign-up / login logic
# 1. Your application's sign-up / login logic
# 2. Create user in Warrant
warrant_user = client.create_user(user.id)
# 3. Finish sign-up / login logic
# 1. Your application's sign-up / login logic
# 2. Create user in Warrant
begin
warrant_user = Warrant::User.create(user_id: user.id)
rescue
# handle error
end
# 3. Finish sign-up / login logic
// 1. Your application's sign-up / login logic
// 2. Create user in Warrant
$warrant_user = $warrant->createUser(new \Warrant\User($user->getUserId(), $user->getUserEmail()));
// 3. Finish sign-up / login logic
2. Creating Permissions
Next, we'll create our application's permissions in Warrant. You can create permissions once manually (if the set of permissions for your application is finite) and/or programmatically from your application code using the Warrant SDK. To create a permission you need to provide it a unique string identifier:
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
client.CreatePermission(warrant.Permission{
PermissionId: "view-dashboards",
})
client.CreatePermission(warrant.Permission{
PermissionId: "create-dashboards",
})
client.CreatePermission(warrant.Permission{
PermissionId: "edit-dashboards",
})
client.CreatePermission(warrant.Permission{
PermissionId: "delete-dashboards",
})
client.createPermission(new Permission("view-dashboards"));
client.createPermission(new Permission("create-dashboards"));
client.createPermission(new Permission("edit-dashboards"));
client.createPermission(new Permission("delete-dashboards"));
warrantClient.createPermission({ permissionId: "view-dashboards" });
warrantClient.createPermission({ permissionId: "create-dashboards" });
warrantClient.createPermission({ permissionId: "edit-dashboards" });
warrantClient.createPermission({ permissionId: "delete-dashboards" });
client.create_permission("view-dashboards")
client.create_permission("create-dashboards")
client.create_permission("edit-dashboards")
client.create_permission("delete-dashboards")
Warrant::Permission.create(permission_id: "view-dashboards")
Warrant::Permission.create(permission_id: "create-dashboards")
Warrant::Permission.create(permission_id: "edit-dashboards")
Warrant::Permission.create(permission_id: "delete-dashboards")
$warrant->createPermission(new \Warrant\Permission("view-dashboards"));
$warrant->createPermission(new \Warrant\Permission("create-dashboards"));
$warrant->createPermission(new \Warrant\Permission("edit-dashboards"));
$warrant->createPermission(new \Warrant\Permission("delete-dashboards"));
3. Creating Roles
Next, we'll create our application's roles. Ideally, the set of roles within an application should be finite and is usually well-defined upfront and so roles should only have to be created once (or infrequently). Like permissions, to create a role you need to provide it a unique string identifier:
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
client.CreateRole(warrant.Role{
RoleId: "admin",
})
client.CreateRole(warrant.Role{
RoleId: "basic",
})
client.createRole(new Role("admin"));
client.createRole(new Role("basic"));
warrantClient.createRole({ roleId: "admin" });
warrantClient.createRole({ roleId: "basic" });
client.create_role("admin")
client.create_role("basic")
Warrant::Role.create(role_id: "admin")
Warrant::Role.create(role_id: "basic")
$warrant->createRole(new \Warrant\Role("admin"));
$warrant->createRole(new \Warrant\Role("basic"));
4. Assigning Permissions to Roles
The roles we created aren't useful until we assign permissions to them. Let's assign the view-dashboards
permission to the basic
role and all four permissions to the admin
role.
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
client.AssignPermissionToRole("basic", "view-dashboards")
client.AssignPermissionToRole("admin", "view-dashboards")
client.AssignPermissionToRole("admin", "create-dashboards")
client.AssignPermissionToRole("admin", "edit-dashboards")
client.AssignPermissionToRole("admin", "delete-dashboards")
client.assignPermissionToRole("basic", "view-dashboards");
client.assignPermissionToRole("admin", "view-dashboards");
client.assignPermissionToRole("admin", "create-dashboards");
client.assignPermissionToRole("admin", "edit-dashboards");
client.assignPermissionToRole("admin", "delete-dashboards");
warrantClient.assignPermissionToRole("basic", "view-dashboards");
warrantClient.assignPermissionToRole("admin", "view-dashboards");
warrantClient.assignPermissionToRole("admin", "create-dashboards");
warrantClient.assignPermissionToRole("admin", "edit-dashboards");
warrantClient.assignPermissionToRole("admin", "delete-dashboards");
client.assign_permission_to_role("basic", "view-dashboards")
client.assign_permission_to_role("admin", "view-dashboards")
client.assign_permission_to_role("admin", "create-dashboards")
client.assign_permission_to_role("admin", "edit-dashboards")
client.assign_permission_to_role("admin", "delete-dashboards")
# Class method
Warrant::Permission.assign_to_role("basic", "view-dashboards")
# Instance method
role = Warrant::Role.get("admin")
role.assign_permission("view-dashboards")
role.assign_permission("create-dashboards")
role.assign_permission("edit-dashboards")
role.assign_permission("delete-dashboards")
$warrant->assignPermissionToRole("basic", "view-dashboards");
$warrant->assignPermissionToRole("admin", "view-dashboards");
$warrant->assignPermissionToRole("admin", "create-dashboards");
$warrant->assignPermissionToRole("admin", "edit-dashboards");
$warrant->assignPermissionToRole("admin", "delete-dashboards");
5. Assigning Roles to Users
Now that our roles are assigned permissions, we can assign them to users. Users can be assigned multiple roles. Let's create two users and assign each of them one of the roles we created.
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
adminUser := client.CreateUser(warrant.User{})
basicUser := client.CreateUser(warrant.User{})
client.AssignRoleToUser(adminUser.UserId, "admin")
client.AssignRoleToUser(basicUser.UserId, "basic")
User adminUser = client.createUser();
User basicUser = client.createUser();
client.assignRoleToUser(adminUser.getUserId(), "admin");
client.assignRoleToUser(basicUser.getUserId(), "basic");
const adminUser = warrantClient.createUser({ email: "admin.user@my-customer.com" });
const basicUser = warrantClient.createUser({ email: "basic.user@my-customer.com" });
warrantClient.assignRoleToUser(adminUser.userId, "admin");
warrantClient.assignRoleToUser(basicUser.userId, "basic");
admin_user = client.create_user("admin.user")
basic_user = client.create_user("basic.user")
client.assign_role_to_user(admin_user.user_id, "admin")
client.assign_role_to_user(basic_user.user_id, "basic")
# Class method
admin_user = Warrant::User.create(email: "admin.user@my-customer.com")
Warrant::Role.assign_to_user(admin_user.user_id, "admin")
# Instance method
basic_user = Warrant::User.create(email: "basic.user@my-customer.com")
basic_user.assign_role("basic")
$admin_user = $warrant->createUser(new \Warrant\User("admin.user", "admin.user@my-customer.com"));
$basic_user = $warrant->createUser(new \Warrant\User("basic.user", "basic.user@my-customer.com"));
$warrant->assignRoleToUser("admin.user", "admin");
$warrant->assignRoleToUser("basic.user", "basic");
6. Assigning Permissions to Users
Permissions can also be directly assigned to users. Let's assign edit-dashboards
to a user.
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
client.AssignPermissionToUser(basicUser.UserId, "edit-dashboards")
client.assignPermissionToUser(basicUser.getUserId(), "edit-dashboards");
warrantClient.assignPermissionToUser(basicUser.userId, "edit-dashboards");
client.assign_permission_to_user(basic_user.user_id, "edit-dashboards")
# Class method
Warrant::Permission.assign_to_user(basic_user.user_id, "edit-dashboards")
# Instance method
basic_user.assign_permission("edit-dashboards")
$warrant->assignPermissionToUser("basic.user", "edit-dashboards");
7. Checking for Permissions
Once our roles and permissions are defined and assigned amongst users, we can start to check permissions on specific users as such:
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
// Returns true
client.HasPermission(warrant.PermissionCheckParams{
PermissionId: "delete-dashboards",
UserId: adminUser.UserId,
})
// Return false
client.HasPermission(warrant.PermissionCheckParams{
PermissionId: "delete-dashboards",
UserId: basicUser.UserId,
})
// Returns true
client.hasPermission(new PermissionCheck("delete-dashboards", adminUser.getUserId()));
// Returns false
client.hasPermission(new PermissionCheck("delete-dashboards", basicUser.getUserId()));
// Returns true
warrantClient.hasPermission({ permissionId: "delete-dashboards", userId: adminUser.userId });
// Returns false
warrantClient.hasPermission({ permissionId: "delete-dashboards", userId: basicUser.userId });
# Returns true
client.has_permission(PermissionCheck("delete-dashboards", admin_user.user_id))
# Returns false
client.has_permission(PermissionCheck("delete-dashboards", basic_user.user_id))
# Returns true
Warrant::Warrant.user_has_permission?(permission_id: "delete-dashboards", user_id: admin_user.user_id) # Class method
# Returns false
basic_user.has_permission?("delete-dashboards") # Instance method
// Returns true
$warrant->hasPermission(new \Warrant\PermissionCheck("delete-dashboards", "admin.user"));
// Returns false
$warrant->hasPermission(new \Warrant\PermissionCheck("delete-dashboards", "basic.user"));
Self Service RBAC
Following this quickstart guide, you should be able to setup RBAC for your application. Particularly for B2B applications, as your application continues to mature, your customers might ask you for the ability to manage their team's roles and permissions themselves.
The Warrant Self Service Dashboard is a Warrant-hosted page you can embed into your application to allow your users to manage their own organization's roles and permissions. See the Self Service RBAC guide for more details.