RBAC on APIs as well as modules & submodules

Hello everyone,

I am working on a project that is entirely based on role-based accessibility. It is a company management portal that has different pages for employees, admins, HR, and other roles.

This management portal is designed to be customizable, allowing any company to create their own unique roles and permissions based on the specific modules and submodules that they require.

Let me explain it in more detail. I have several schemas:

  1. Modules (They describe to which part or feature the submodule belongs to)
  2. Sub-modules (These are actual web pages, such as “all-employees,” “employee/:id,” “settings,” etc.)
  3. Roles (such as employee, HR, accounts, CEO, etc.)
  4. Users (employees)
  5. Permissions (explained below)

Both employees and CEOs can visit the “/employees” page.

which includes the “edit” and “delete” options. However, only the CEO can use these buttons.

To handle this issue, I am creating a module and submodule-based access relation in the permission schema. The purpose of the permission schema is to control user access in the frontend.

The question now is how to add RBAC to APIs.

  1. For the above image, an employee can’t perform a write operation on the “all-employees” page, but they can update their own profile. As the update is set to false in the permission, the user won’t be allowed to do that.

  2. For the designation page, the user also has access to the APIs. However, what if the user wasn’t allowed access to the designation page? In that case, the read option will also be false, and the user won’t see any filter option.

  3. Based on the above approach, a person can access all the functionalities using APIs directly.

If you have any suggestions, please write them down. Thank you in advance.