Role-Based Access Control (RBAC)
Descope provides a structured Role-Based Access Control system, allowing for granular access control. Permissions are the foundation of this system, describing specific actions and functionality a user can take. Roles are collections of permissions that can be assigned to a user. For example, there could exist an “Admin” role with permissions to create, update, and delete other users.
Creating, updating, assigning, grouping, and deleting roles and permissions is done through Descope's UI, SDKs, or APIs, with specific instructions on how to do so in our Authorization Page.
Use Case Example
Now, to better understand how to implement RBAC with Descope, let's dive into a use case example.
Imagine running a SaaS company, providing a software-as-a-service platform to other businesses. This platform is designed to streamline e-commerce operations and amplify brand engagement.
The platform has thee main features including:
- Digital Storefront: Assists businesses in crafting an online presence, cataloging products, and processing sales.
- Customer Relations Manager (CRM): Designed to track customer interactions, purchases, and feedbac.
- Brand Amplifier: Aids in crafting, scheduling, and distributing promotional content across various digital channels.
Recognizing the importance of granular access control, you integrate Descope into your solution. Without Role-Based Access Control (RBAC), employees across client businesses would have a free run of the platform, potentially complicating operations, especially in businesses where tasks are department-centric.
Digital Storefront
For the Digital Storefront module, permissions are created such as:
read-product-detailsedit-product-pricingprocess-online-orders
To manage these permissions, the role “Digital Store Supervisor” is conceived.
CRM
Transitioning to the CRM module, we see permissions like:
view-customer-historyannotate-customer-feedbackgenerate-sales-report
This brings forth the role of “Customer Insights Analyst.”
Brand Amplifier
Lastly, the Brand Amplifier module encapsulates permissions like:
draft-promotional-contentschedule-brand-campaignanalyze-engagement-metrics
Consequently, a role named “Brand Strategist” emerges.
Assigning Roles to Users
Now, consider a scenario: A business onboarded to your platform designates Dylan to oversee their e-commerce wing. Dylan is provided the Digital Store Supervisor and Customer Insights Analyst roles, granting him a spectrum of permissions from the two modules. However, since marketing is not his forte, he isn't assigned the Brand Strategist role, ensuring he remains focused on his domain.
On the backend, when Dylan logs into your platform, Descope seamlessly authenticates and authorizes him, embedding the required permissions within the Access Token. Your software, by interpreting this token, ascertains which modules and features Dylan can access.
Delegating Role Creation And Permission Assignment
Using Descope's Role Management Widget, tenant administrators can create new tenant-level roles and assign them the relevant permissions.
As part of this functionality, there is a need to manage the available permissions for each tenant, to allow granularity and avoid collisions between tenants.
Meaning, some tenants require one set of permissions while others require a different set. And we want to be able to manage those different sets by creating delegation roles.
This following example is about delegating permission assignments to new roles in "schools":
- Create the role
- Add the role to the tenant admin
- The tenant admin can create a role with the delegated permissions
Conclusion
Thanks to Descope's efficient RBAC, your platform gains robustness without the need for internalizing authorization mechanics. As roles within client businesses evolve, permissions can be effortlessly realigned.
Moreover, to cater to growing clientele and diversifying roles, Descope's SDKs and API offers the potential of crafting a self-service portal. This in-platform feature could empower businesses to sculpt and manage their RBAC, further refining operational efficiency.