Security Concepts
Role based Access Control (RBAC)
Within you API you can create users and roles. Users can be assigned different roles, and you can grant discreet permissions to access specific resources to members of specific roles.
Consider a data model that consists of a products-collection and an orders-collection. You could grant access to update the product-collection to members of the marketing team to enable the team to add new products and manage information like product-descriptions etc. Similarly, you could grant access to update the orders-collection to the members of sales-department.
Any user that is a member of both roles could update items in both collections.
Example of users, roles, and membership::
| USER | Role Marketing | Role Sales |
|---|---|---|
Jim | X | |
Peter | X | |
Bill | X | X |
Example of permissions to access the products-collection to specific roles:
| ROLE | GET | POST | PUT | PATCH | DELETE |
|---|---|---|---|---|---|
Marketing | X | X | X | X | X |
Sales | X |