Role Based Access Control (RBAC)

Each of PropelAuth's Frontend and Backend libraries contain methods of protecting your resources based on a user's permissions or role. See our Managing Roles and Permissions documentation on getting started with Roles and Permissions.

Frontend RBAC

Easily protect users from accessing pages and resources on your frontend with roles and permissions. In this example, we'll only show a "Create Ticket" button to users with roles that have the can_create_tickets permission.

With PropelAuth's React library, we can use the useAuthInfo() hook to retrieve the UserClass, as well as the the OrgMemberInfoClass for the orgs the user belongs to.

We can retrieve the OrgMemberInfoClass for a user's org and then check if the user has the can_create_tickets permission with that org. If they do not, we'll restrict them from accessing that button.

import { useAuthInfo } from "@propelauth/react"

const { userClass } = useAuthInfo()
const org = userClass.getOrg("my-org-id")
if (org.hasPermission("can_create_tickets")) {
    return <button>Create Ticket</button>
}

Backend RBAC

On the backend, we can quickly and easily protect backend resources from unauthorized users. In this example, we'll require that a user has a can_view_billing permission.

With FastAPI, we can use the require_org_member_with_permission() function to validate that the user belongs to the org we passed in the URL, as well as having the required permission.

auth = init_auth("auth_url", "auth_api_key")

@app.get("/api/org/{org_id}/billing")
async def billing(org_id: str, current_user: User = Depends(auth.require_user)):
  org = auth.require_org_member_with_permission(current_user, org_id, "can_view_billing")
  pass