This article discusses the challenges of implementing traditional RBAC in complex enterprise environments and proposes an enhanced layered model. It focuses on extending basic RBAC with concepts like scoped roles, granular resource-action-constraint permissions, and explicit separation of duties to meet the demands of regulated industries like banking, ensuring scalability, auditability, and maintainability.
Read original on Dev.to #systemdesignWhile authentication often receives significant attention, the article highlights that authorization is a critical, yet often overlooked, area where enterprise systems can fail. Traditional RBAC (User "to" Role ">" Permissions) proves insufficient in complex organizational structures due to multiple user roles, context-dependent permissions, temporary access requirements, and stringent regulatory demands such as separation of duties.
The author proposes a more robust RBAC model that extends the basic structure with key enhancements:
User
└── has many → UserRoles (with scope + expiry)
└── belongs to → Role
└── has many → RolePermissions
└── belongs to → Permission (resource + action + scope)The enforcement of this authorization model typically involves a two-tiered approach: a route-level middleware for coarse-grained checks to quickly determine if a user has any permission for a resource, and fine-grained policy checks within application logic or services for complex, context-aware authorization decisions. This distributed enforcement strategy balances security with performance and developer experience.