Role‐Based Access Control (RBAC) with Dynamic Role Management & Attribute‐Based Access Control (ABAC) - sonuprajapati15/Authentication-Authorization GitHub Wiki
Role-Based Access Control (RBAC) with Dynamic Role Management & Attribute-Based Access Control (ABAC)
Now, let’s enhance our RBAC system by adding:
✅ Dynamic Role Management – Admins can create and update roles & permissions at runtime.
✅ Attribute-Based Access Control (ABAC) – Access decisions based on user attributes (e.g., department, location, seniority, etc.), not just roles.
| Feature | RBAC | ABAC |
|---|---|---|
| Access Control | Based on predefined roles | Based on user attributes & policies |
| Flexibility | Static & predefined | Dynamic & context-aware |
| Example | Admin can delete users | Manager can approve expenses over $1000 if in Finance department |
Here is the RBAC + ABAC Authorization Flowchart:
View or edit this diagram in Whimsical.
npm install express bcrypt jsonwebtoken redis dotenv
require("dotenv").config();
const express = require("express");
const bcrypt = require("bcrypt");
const jwt = require("jsonwebtoken");
const redis = require("redis");
const app = express();
app.use(express.json());
const redisClient = redis.createClient({ url: process.env.REDIS_URL });
// Mock database with attributes
const users = [
{ id: 1, username: "admin", passwordHash: bcrypt.hashSync("password", 10), role: "admin", department: "IT" },
{ id: 2, username: "manager", passwordHash: bcrypt.hashSync("password", 10), role: "manager", department: "Finance" }
];
// ABAC Policy Engine
const abacPolicies = {
manager: { department: "Finance" }
};
// RBAC + ABAC Middleware
const authorize = (role, attributeKey, attributeValue) => (req, res, next) => {
const token = req.headers.authorization?.split(" ")[1];
const { role: userRole, department } = jwt.verify(token, process.env.JWT_SECRET);
if (userRole !== role || (abacPolicies[userRole]?.[attributeKey] && abacPolicies[userRole][attributeKey] !== attributeValue)) {
return res.status(403).json({ message: "Access Denied" });
}
next();
};
// Protected Route
app.get("/finance-reports", authorize("manager", "department", "Finance"), (req, res) => res.json({ message: "Accessing Finance Reports" }));
app.listen(3000, () => console.log("RBAC + ABAC Server running on port 3000"));
| Factor | Trade-off |
|---|---|
| Security | ABAC increases security but requires careful policy management. |
| Performance | Policy evaluation can slow down requests; caching helps. |
| Flexibility | More dynamic than RBAC, but requires policy updates. |
| Scalability | Scales better than RBAC alone, but needs efficient policy indexing. |
By combining RBAC & ABAC, we get fine-grained, dynamic access control, ideal for large-scale enterprise applications.