RBAC
Overview
Primebrick uses Role-Based Access Control (RBAC) with a wildcard-based permission system. Permissions are expressive, easy to reason about, and integrated with Casdoor for identity-level role mapping.
Permission format
Permissions follow a three-part dot notation:
Code
| Part | Description | Examples |
|---|---|---|
module | The business module | customers, billing, inventory |
action | The operation | read, write, delete, export |
granularity | The scope level | * (all), own (own data), team (team data) |
Examples
Code
Wildcards
The * character acts as a wildcard and can appear in any segment:
Code
Pattern matching is performed at runtime. A user's permissions are checked against the required permission using wildcard expansion:
Code
Roles
Roles are collections of permissions. A role bundles together the permissions needed for a specific job function:
| Role | Example permissions |
|---|---|
viewer | *.read.own |
editor | customers.read.*, customers.write.own |
admin | *.*.* |
Role storage
Role-to-permission mappings are stored in the database and managed via the admin UI or API. Roles are integrated with Casdoor — Casdoor manages users and their role assignments, and Primebrick syncs this information to resolve permissions at request time.
Admin bypass
Users with is_admin = true bypass all permission checks. This is an escape hatch for super-administrators and should be granted sparingly.
Code
Permission enum in code
Permissions are defined as a typed enum in the codebase to prevent typos and enable IDE autocompletion:
Code
Middleware checks permissions on every protected route:
Code
How checks work
- The middleware extracts the JWT from the
Authorizationheader. - It loads the user's roles and their associated permissions from the database.
- If
is_adminis true, the check passes immediately. - Otherwise, it tests each of the user's permissions against the required permission using wildcard matching.
- If any permission matches, the request proceeds. Otherwise, a
403Problem Details error is returned.
Next steps
- Authentication — how tokens are obtained before RBAC checks.
- Error Handling — what a permission-denied error looks like.
- Microservice Standard — how microservices enforce RBAC.