I built a Flask + SQL app, including UI and API, to learn more about RBAC. I implemented a basic version of the signup, login, user creation, roles, and permission features.
RBAC is a model that is used in most SaaS applications today. Role-based access control is a policy-based approach that allows administrators to assign specific permissions to specific people, groups, and roles. It is stateless and does not hold the user permissions in the state of the system, like directory security and the web security approaches.
A standard way to manage users is to design a user list model that contains all the information on each user, e.g. a class called User has a name, a password, a status, and an email. Each user can be added, removed, updated, etc. Administrators can assign users with appropriate rights to the respective roles.
The main idea is that every entity in the system has defined roles, which are then assigned to certain users. To perform a certain action, the user has to be one of the assigned roles.
Beyond the basic RBAC model, you can use groups to categorize user permissions to the groups. The user groups usually follow human organizational structures.
Presetting some default roles and permissions can largely save users time and potentially prevent serious accidents, such as allowing clients to view vendors’ profits. Depending on use cases, permission options may be simplified.
The default permission for any action is not allowed. Otherwise, if you forgot to handle some cases, it would just be open to everyone. That’s why requiring the user to match all of the specified conditions is the more secure approach.