Skip to main content
Version: 2.0.0

Configure your first RBAC Policy

Role-Based Access Control (RBAC) is a method for managing access to resources by assigning permissions based on user roles. It simplifies security management by ensuring users only have access to what they need to perform their job. For a deeper dive into RBAC and its benefits, explore our detailed blog post or check out our Permit RBAC home page to learn more.

For example, in a web application, an "Admin" role might have full access to manage resources, while a "Viewer" role can only view them.

In this guide, you'll learn how to configure your first RBAC policy, step by step—starting with creating roles, defining resources and actions, and assigning roles to users.

Creating your first role

The first step in configuring your RBAC policy is to define roles, which represent a set of permissions associated with specific actions and resources. Roles are the foundation of RBAC, as they determine what a user can or cannot do within the system.

In this example, we will create a role called Admin, which typically represents a user with the highest level of access.

Make sure the name is clear and meaningful, reflecting the purpose of the role. You can also pass a key to uniquely identify a role and a description to offer a more meaningful explanation of the role.

To create the Admin role:

  1. Navigate to the Policy Screen
  2. Click Create a Role
  3. Enter "Admin" as the name of the role.

Creating a resource and its actions

  1. Navigate to the Policy Screen.
  2. Click Create a Resource.
  3. Enter Document as the name of the resource. Ensure the name clearly represents the entity or object in your system requiring controlled access, such as a file, database entry, or, in this case, a document.
  4. Add the actions associated with this resource. Start with Permit’s basic pre-defined actions — create, read, update, and delete (CRUD). These actions cover fundamental operations common across most systems.
  5. Optionally, add custom actions to reflect specific operations relevant to your use case. For example, add a custom action called publish, representing an operation specific to document management.
note

This combination of predefined and bespoke actions gives you flexibility in crafting access policies tailored to your application’s needs.

Configuring RBAC permissions in the Policy editor

Now, with our roles and resources in place, we need to define the exact permissions for the Admin role. This is done in the Policy Editor, where you can specify what actions each role is allowed to perform on a given resource.

  1. Navigate to the Policy Editor Screen.
  2. Find the Admin role, and the Document resource underneath the role.
  3. Tick the actions the Admin role can perform on the Document resource:
    • create
    • read
    • publish (the custom action defined earlier).

By mapping specific actions to roles in the Policy Editor, you ensure your access control model is both secure and flexible, tailored to your application's requirements.

Add a user and assign a role

Finally, now that we’ve defined a role, a resource, and its associated permissions, it’s time to bring a user into the system and grant them access.

tip

A users represent individuals or entities that will interact with your application, and roles determine what they can do.

  1. Navigate to the Directory page.
  2. Click Add User.
  3. Enter sam@permit.io as the user's email address. Ensure the email corresponds to the individual who should receive access.
  4. Assign the Admin role to this user by selecting it from the list of available roles. This grants the user full administrative permissions to manage resources and perform all actions defined for the role.


Once this step is complete, your RBAC setup is ready, and the Admin role will have all the necessary permissions to manage the Document resource effectively.

What did you learn?

Congratulations! 🎉 You’ve successfully configured your first RBAC policy by creating a role, defining a resource with actions, assigning a user, and setting permissions. This foundational setup is the cornerstone of a secure and scalable access control system.

FUN FACT!

RBAC is so effective that it’s used by NASA to manage access to mission-critical systems! By leveraging roles and permissions, they ensure that only authorized personnel can interact with sensitive spacecraft operations and data.

What's next? 🎉

  • Fetching your API key
  • Initializing the Permit Instance
  • Performing your first API call

Congratulations! A great start!

Contents