Role-Based Access Control (RBAC)

Fine-grained authorization system for multi-tenant environments.

Overview

StrataRouter Enterprise provides comprehensive RBAC capabilities for controlling access to routing features, execution data, and administrative functions.

Core Concepts

Roles

pub struct Role {
    pub id: String,
    pub name: String,
    pub description: String,
    pub permissions: Vec<String>,
    pub inherits_from: Vec<String>,
}

Built-in Roles: - admin: Full system access - operator: Manage routing and executions - developer: Access API and integration features - analyst: Read-only access to metrics and logs - user: Basic routing capabilities

Permissions

Permission format: resource:action

Examples:

routing:read
routing:write
routing:execute
executions:read
metrics:read
admin:users
admin:tenants

Configuration

use stratarouter_enterprise::rbac::{RbacEngine, Role, Permission};

// Create RBAC engine
let rbac = RbacEngine::new(db_pool);

// Define custom role
rbac.create_role(Role {
    id: "data_scientist".to_string(),
    name: "Data Scientist".to_string(),
    description: "Access to metrics and experiments".to_string(),
    permissions: vec![
        "routing:read".to_string(),
        "executions:read".to_string(),
        "metrics:read".to_string(),
        "experiments:write".to_string(),
    ],
    inherits_from: vec!["user".to_string()],
}).await?;

// Assign role to user
rbac.assign_role(user_id, "data_scientist").await?;

Permission Checking

// Check if user has permission
if rbac.check_permission(user_id, "routing:execute").await? {
    // User can execute routing
    execute_routing(request).await?;
} else {
    return Err("Permission denied");
}

// Middleware example
async fn require_permission(
    user: User,
    permission: &str,
    rbac: RbacEngine,
) -> Result<()> {
    if !rbac.check_permission(&user.id, permission).await? {
        return Err(format!("Permission denied: {}", permission));
    }
    Ok(())
}

Multi-Tenancy Integration

RBAC is tenant-aware:

// Permissions are scoped to tenant
rbac.check_permission_in_tenant(
    user_id,
    tenant_id,
    "routing:execute",
).await?;

Attribute-Based Access Control

Extended RBAC with attributes:

// Define attribute-based policy
let policy = Policy {
    effect: Effect::Allow,
    actions: vec!["routing:execute"],
    resources: vec!["routes/*"],
    conditions: vec![
        Condition::Equals {
            attribute: "user.department",
            value: "engineering",
        },
        Condition::GreaterThan {
            attribute: "request.cost",
            value: 0.10,
        },
    ],
};

Audit Integration

All permission checks are automatically logged to the Audit Log:

audit_log.record(AuditEvent {
    event_type: "permission.check",
    user_id: Some(user_id),
    resource: Some(permission),
    success: granted,
});

See Also

• Authentication - User authentication
• Multi-Tenancy - Tenant isolation
• Security - Security features
• Audit Logging - Audit trails