Access Control
Permission-Based Access Control
- Instead of broad roles, access is controlled by specific permissions (privileges).
- Permissions are fine-grained (e.g.,
post:read,post:create,post:delete). - Users can have multiple permissions, either directly or via roles.
How PBAC Works
- User authenticates → JWT contains a list of permissions.
- API checks whether required permission is present.
PBAC in REST API
JWT Payload
{
"sub": "123",
"name": "Masum Billah",
"permissions": ["post:read", "post:create", "post:update"],
"exp": 1736790400
}
Request (User trying to delete a post)
DELETE /posts/42 HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1...
Server Check
- Extract permissions: [
"post:read","post:create","post:update"] - Required permission:
post:delete - User does not have it → return
403 Forbidden
Response
{
"error": "Missing required permission: post:delete"
}
RBAC vs PBAC
| Feature | RBAC (Role-Based) | PBAC (Permission-Based) |
|---|---|---|
| Granularity | Coarse (role level) | Fine-grained (action level) |
| Example Assignment | role = editor | permissions = ["post:read","post:update"] |
| Easy to Manage | ✅ (fewer roles) | ❌ (many permissions) |
| Flexibility | ❌ Limited | ✅ Very flexible |
| Use Case | Small/medium apps | Large systems with many actions |