Role-Based Access Control (RBAC)

Role-Based Access Control represents one of the most widely adopted authorization models for APIs. RBAC simplifies permission management by grouping permissions into roles and assigning roles to users. Instead of managing individual user permissions, administrators manage a smaller number of roles, making the system more maintainable and auditable.

# Python example of RBAC implementation
from enum import Enum
from functools import wraps
from flask import Flask, request, jsonify, g

app = Flask(__name__)

class Role(Enum):
    ADMIN = "admin"
    MANAGER = "manager"
    USER = "user"
    GUEST = "guest"

# Define role permissions
ROLE_PERMISSIONS = {
    Role.ADMIN: ["create", "read", "update", "delete", "manage_users"],
    Role.MANAGER: ["create", "read", "update", "delete"],
    Role.USER: ["read", "update_own"],
    Role.GUEST: ["read"]
}

def require_permission(permission):
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            # Get user role from token/session
            user_role = g.current_user.role
            
            if permission not in ROLE_PERMISSIONS.get(user_role, []):
                return jsonify({"error": "Insufficient permissions"}), 403
            
            return f(*args, **kwargs)
        return decorated_function
    return decorator

@app.route('/api/users', methods=['GET'])
@require_permission('read')
def get_users():
    # Implementation for getting users
    return jsonify({"users": []})

@app.route('/api/users', methods=['POST'])
@require_permission('create')
def create_user():
    # Implementation for creating users
    return jsonify({"message": "User created"})

RBAC implementation requires careful role design to avoid role explosion or overly permissive roles. Start with coarse-grained roles that map to clear business functions, then refine as needed. Implement role hierarchies where senior roles inherit permissions from junior ones. This approach reduces redundancy and ensures consistent permission assignment.

Dynamic role assignment enhances RBAC flexibility. Instead of static role assignments, evaluate user attributes, group memberships, or contextual factors to determine applicable roles. For instance, a user might have different roles in different projects or organizations within the same system. This dynamic approach supports complex multi-tenant scenarios while maintaining RBAC's simplicity.