App Logo
Plugins

Access Control Plugin

Manage roles, permissions, and user access.

Overview

The Access Control plugin provides a comprehensive Role-Based Access Control (RBAC) system for managing authorization in your application. It enables you to define roles, assign permissions to those roles, and grant roles to users, creating a flexible and scalable authorization model.

What It Does

  • Role Management — Create and manage roles. Supports system-managed roles that cannot be modified or deleted once created. Roles also support adding a weight to determine their hierarchy and precedence. This is reminicent of the concept of "role hierarchy" in traditional RBAC systems, but implemented with a flexible weight system that allows for more granular control.
  • Permission Management — Define fine-grained permissions with unique keys
  • Role-Permission Mapping — Associate permissions with roles and manage bulk updates
  • User Authorization — Assign roles to users and query their effective permissions
  • Audit Tracking — Track who granted permissions and assigned roles

The plugin uses a hierarchical model: Users → Roles → Permissions, allowing you to manage authorization at any level and simplifying policy changes across multiple users.


Configuration

Standalone Mode

[plugins.access_control]
enabled = true

Library Mode

accesscontrolplugin "github.com/Authula/authula/plugins/access-control"
accesscontrolplugintypes "github.com/Authula/authula/plugins/access-control/types"

accesscontrolplugin.New(accesscontrolplugintypes.AccessControlPluginConfig{
  Enabled: true,
})

API Reference

Each endpoint in this plugin requires the caller to have a specific hardcoded permission assigned to their role(s).

Roles Management

HTTP MethodRoute PathDescriptionRequired Permission
POST/access-control/rolesCreate a new roleaccess-control:roles:create
GET/access-control/rolesList all available rolesaccess-control:roles:list
GET/access-control/roles/by-name/{role_name}Get a role by nameaccess-control:roles:read
GET/access-control/roles/{role_id}Get a role by IDaccess-control:roles:read
PATCH/access-control/roles/{role_id}Update a roleaccess-control:roles:update
DELETE/access-control/roles/{role_id}Delete a roleaccess-control:roles:delete

Permissions Management

HTTP MethodRoute PathDescriptionRequired Permission
POST/access-control/permissionsCreate a new permissionaccess-control:permissions:create
GET/access-control/permissionsList all permissionsaccess-control:permissions:list
GET/access-control/permissions/{permission_id}Get a permission by IDaccess-control:permissions:read
PATCH/access-control/permissions/{permission_id}Update a permissionaccess-control:permissions:update
DELETE/access-control/permissions/{permission_id}Delete a permissionaccess-control:permissions:delete

Role-Permission Mapping

HTTP MethodRoute PathDescriptionRequired Permission
POST/access-control/roles/{role_id}/permissionsAdd a single permission to a roleaccess-control:role-permissions:assign
GET/access-control/roles/{role_id}/permissionsGet all permissions assigned to a roleaccess-control:role-permissions:read
PUT/access-control/roles/{role_id}/permissionsReplace all permissions of a role (bulk update)access-control:role-permissions:assign
DELETE/access-control/roles/{role_id}/permissions/{permission_id}Remove a permission from a roleaccess-control:role-permissions:remove

User Access & Permissions

HTTP MethodRoute PathDescriptionRequired Permission
GET/access-control/users/{user_id}/rolesGet all roles assigned to a useraccess-control:user-roles:read
POST/access-control/users/{user_id}/rolesAssign a role to a useraccess-control:user-roles:assign
PUT/access-control/users/{user_id}/rolesReplace all roles of a user (bulk update)access-control:user-roles:assign
DELETE/access-control/users/{user_id}/roles/{role_id}Remove a role from a useraccess-control:user-roles:remove
GET/access-control/users/{user_id}/permissionsGet all permissions for a useraccess-control:user-permissions:read
POST/access-control/users/{user_id}/permissions/checkCheck whether a user has permissionsaccess-control:user-permissions:check

Database Schema

This plugin creates the following database tables:

Table: access_control_roles

FieldTypeKeyDescription
idstringPKUnique identifier for the role
namestring-Name of the role
descriptionstring?-Role description
weightint-Role weight for hierarchy
is_systemboolean-Whether role is system-managed
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: access_control_permissions

FieldTypeKeyDescription
idstringPKUnique identifier for permission
keystring-Permission key identifier
descriptionstring?-Permission description
is_systemboolean-Whether permission is system-managed
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: access_control_role_permissions

FieldTypeKeyDescription
role_idstringPKRole identifier
permission_idstringPKPermission identifier
granted_by_user_idstring?FKUser who granted the permission
granted_attimestamp-Time when permission was granted

Table: access_control_user_roles

FieldTypeKeyDescription
user_idstringPKUser identifier
role_idstringPKRole identifier
assigned_by_user_idstring?FKUser who assigned the role
assigned_attimestamp-Time when role was assigned
expires_attimestamp?-Time when role assignment expires

Migrations are automatically handled when the plugin is initialized.


Plugin Capabilities

Example Usage

Standalone mode:

[[route_mappings]]
path = "/some/path"
method = "GET"
# Make sure to include an auth capability plugin (e.g. session.auth) before the access control plugin
# to ensure the user is authenticated before enforcing permissions.
plugins = ["session.auth"]
permissions = ["domain:resource:action"] # Specify the required custom permission to access this route

Library mode:

import (
  authulaconfig "github.com/Authula/authula/config"
  authulamodels "github.com/Authula/authula/models"
  sessionplugin "github.com/Authula/authula/plugins/session"
  accesscontrolplugin "github.com/Authula/authula/plugins/access-control"
)

config := authulaconfig.NewConfig(
  // Other config options...
  authulaconfig.WithRouteMappings([]authulamodels.RouteMapping{
    {
      Method: "GET",
      Path:   "/some/path",
      Plugins: []string{
        sessionplugin.HookIDSessionAuth.String(),
      },
      Permissions: []string{
        "domain:resource:action",
      },
    },
  }),
)

Notes

  • System-managed roles and permissions are protected from modification or deletion to ensure critical access controls remain intact.
  • Role weights allow you to establish a hierarchy, where higher-weighted roles take precedence over lower-weighted ones. This is very useful for scenarios where users may have multiple roles, and you want to determine which role is of higher priority. Also this is important to take into consideration as a user can only grant roles with equal or lower weight than their highest role, preventing privilege escalation.
    • An example of this is an Admin role with weight 100, Editor role with weight 50, and Viewer role with weight 25. An Admin can assign any of these roles, while an Editor can only assign the Viewer role.

Client Plugin

If you're using the Authula SDK, add the plugin to the SDK like so:

import { createClient } from "authula";
import { AccessControlPlugin } from "authula/plugins";

export const authulaClient = createClient({
  url: "http://localhost:8080/auth",
  plugins: [
    // other plugins...
    new AccessControlPlugin(),
  ],
});

On this page