User and role access controls

4.10. User and role access controls#

Access control is the process of restricting access to certain parts of a web application based on who the user is and what they are allowed to do. This ensures that users only have access to the features and data relevant to them.

There are two common types of access control:

  • User-Based Access Control (UBAC) – Permissions are assigned to individual users.

  • Role-Based Access Control (RBAC) – Users are assigned roles, and roles define what actions they can perform.

4.10.1. User-Based Access Control (UBAC)#

In User-Based Access Control (UBAC), permissions are set on a per-user basis. The simplest form of UBAC is restricting a user’s access so that they can only view and edit their own data.

This idea can be extended to grant users access to various data or pages on a website. For example in a file sharing system (e.g. Google Drive or Microsoft OneDrive), individual users can be granted access to specific files or folders.

4.10.2. Role-Based Access Control (RBAC)#

In Role-Based Access Control (RBAC), users are assigned roles and roles define permissions. RBAC is useful when there are clear pre-defined levels of permission to be applied to data or web pages.

RBAC can be broadly divided into two types:

  • hierarchical

  • compositional

Hierarchical Roles#

In hierarchical RBAC, roles are structured in a hierarchy, with each level granting progressively more permissions. A user assigned to a role, has the permissions of the role and of all roles below it.

For example the table below shows roles and permissions in a blogging system:

Role

Create Posts

Edit Posts

Delete Posts

Manage Users

Admin

✅ Yes

✅ Yes

✅ Yes

✅ Yes

Editor

✅ Yes

✅ Yes

❌ No

❌ No

User

✅ Yes

❌ No

❌ No

❌ No

This can be implemented with a single additional field in a users table, for example:

USERS

id

username

password

email

role

1

jdoe

Pass123!

doe@example.com

admin

2

asmith

Secure#456

asmith@example.com

editor

3

mbrown

MyP@ss789

mbrown@example.com

user

Compositional Roles

With compositional roles, users can be associated to multiple roles with each role associated to a set of permissions.

For example the table below shows roles and permissions in a blogging system:

Role

Create Posts

Edit Posts

Delete Posts

Manage Users

Admin

❌ No

❌ No

✅ Yes

✅ Yes

Editor

❌ No

✅ Yes

❌ No

❌ No

User

✅ Yes

❌ No

❌ No

❌ No

This can be implemented with a User table and a UserRole table

USERS

id

username

password

email

role

1

jdoe

Pass123!

doe@example.com

admin

2

asmith

Secure#456

asmith@example.com

editor

3

mbrown

MyP@ss789

mbrown@example.com

user

USERROLES

id

user_id

role

1

1

admin

2

1

editor

3

1

user

4

2

editor

5

2

user

6

3

user

4.10.3. Implementing Access Control#

Implementing access control can be as simple as adding a condition to a route function to check that the user owns the requested resource.

More sophisticated features such as granting permissions on other resources or roles requires recording the roles in a database.

In practice UBAC and RBAC can be combined to assign specific roles for a user to particular data or webpages.

Demo: User access control from scratch

Note

This tutorial demonstrates a simple way to implement user access control (user level permissions) with Flask. Run it like a normal Flask app.

Users

The database has been populated with two users

  1. user1 with password password1

  2. user2 with password password2

../../_images/user_access_control_loop.gif

Note

Jane can access Bob’s dashboard but Bob cannot access Jane’s dashboard.

Models

In addition to the User model we’ve been using so far, we’re adding a model to hold the UserPermissions details in the database. This table records a user granting permission to another user.

The permission model fields are:

  • id - the unique identifier of the permission association

  • owner_id - a foreign key to the associated owner

  • granted_user_id - a foreign key to the user who has been granted permission

Dashboard

On the dashboard you can view the:

  • currently logged in user details

  • the profile pages of users you have access to

To generate this page the user permissions table is joined with the user table.

Note

Login as the test user to and check if you can see the admin profile page.

Profile

The profile page shows the profile for a user if you have access to that user.

Download and run the tutorial.

TUTORIAL_user_access_control_from_scratch.zip

Demo: Role access control from scratch

Note

This tutorial demonstrates a simple way to implement role based access control with Flask. Run it like a normal Flask app.

Users

The database has been populated with three users

  1. admin with password password123

  2. editoruser with password editorpass

  3. user with password userpass

Models

The User model has been augmented by adding a role field, which takes one of three values:

  • "admin"

  • "editor"

  • "user"

Dashboard

On the dashboard you can view the:

  • currently logged in user details

  • controls associated with the user’s role

../../_images/role_access_control_loop.gif

Note

Log in as the different users to see the different controls for each role type. Note that the admin controls on each page are placeholders for demonstrative purpose and are not functional.

Download and run the tutorial.

TUTORIAL_role_access_control_from_scratch.zip