Layered Permission / roles logic (advice needed)

Would love some input on the following.

We have multiple layers of permissions for each role (in a SaaS context).
The roles are:

• Student (end user who watches courses)
• Teacher (person uploading and managing courses)
  • Teacher assistent
• Admin (employees of our company like customer support)

Each role has different layers of permissions.
Here’s an example of what we have so far, please keep in mind that the roles might be adjusted in the future. We want fine control in what each role can access exactly, so this system needs to allow that.

Example of roles and their permissions

Student can access:

• logged in area
• free courses in said area
• paid courses if enrolled

Teacher can:

• access all that the student can access
• fully access management features of their school

Teacher ‘assistant’ (user with a bit less rights) can:

• access all that the student can access
• Partly access management features of their school

Admin can:

• Access all the student can
• Access all the teacher can
• Fully access application wide management features

Admin ‘assistant’ (bit less rights again) can:

• Access all the student can
• Access all the teacher can’
• Partly access application wide mangement features

My question

Currently I have 3 functional roles set up in the security provider:

image748×485 14.3 KB

But I don’t think this can accommodate what I want. The possible solution I see would get really messy in a few months. Please let me know if you’ve done something similar!

Possible solutions I see

1. Keep just these 3 roles in the security provider, create new library actions for each specific permission, like:

• teacher_full_access
• teacher_assistant_access
• teacher_customer_support_access
  Then in each library action set up database queries to check if that user has got access to the stuff it wants to change. I.e. if they are part of the customer_support team, then they can’t upload new videos to a course. So in the upload_video_to_course server action I will add this library action:teacher_customer_support_access.
  Then this action will query the course it’s trying to access and another table with the permission defines defined.
  This is how the permission table would be like:
• id
• User_id (ref)
• course_id (ref)
• permission_level (int)

While typing I have the feeling I’m overcomplicating things?

Hey @karh, did you find a good solution? I’m struggling with how to setup a robust RBAC and ACL system.

Hey Keith, in the end I’ve made a system using library actions and I’m not using the built-in permissions at all, other than checking if the user is logged in.

I can now include these library actions on each server action or page load (in the server action that is ran on that route, using NodeJS). This works fairly well for me since setting it up.

CleanShot 2023-12-09 at 22.28.40@2x752×588 22.7 KB

I’ve later extended it with theitems folder and features folders. So these are a bti different, they’re also to be ran from other server actions - but as an ‘exec’ and I should pass something. For example I have an item ‘course’ which certain users have access to. So I execute this library action with course id as param. That way I can protect from users changing form inputs client side and trying to change items that they don’t have access to.