Skip to content

.7 Roles, Users & Permit.io Setup

Jump to bottom
Collins Dada edited this page May 4, 2025 · 1 revision

Class-Guard uses Permit.io to manage role-based access control (RBAC). Instead of hardcoding permissions, we use Permit’s hosted policy engine (PDP) to make dynamic access decisions.

📌 6.1 What is Permit.io?

Permit.io lets you:

  • Define roles (admin, teacher, student)

  • Assign users to roles

  • Set fine-grained access control to routes or resources

  • Query access decisions via their SDK (used in our Node.js backend)

6.2 Defined Roles

Role Description Key Resources Accessed
admin Has full access to dashboards /admin, /dashboard, /manage
teacher Can view teacher dashboard /teacher-dashboard
student Can view student dashboard /student-dashboard

🛠 6.3 Setting Up Roles in Permit.io Dashboard

  1. Go to Permit.io Console

  2. Create a new project (e.g., Class-Guard)

  3. Under Roles, add:

    • admin

    • teacher

    • student

  4. Under Resources, add:

    • dashboard

    • student-dashboard

    • teacher-dashboard

    • admin-dashboard

  5. Under Actions:

    • Add view, edit, delete, access

  6. Under Policies:
    Define rules such as:

    allow admin to view admin-dashboard
allow student to view student-dashboard
allow teacher to view teacher-dashboard

6.4 Adding Users to Roles

You can assign users in the Permit.io dashboard using email/user ID.

Example:

  • user2345admin

  • user7890student

  • user5678teacher

You can also assign roles via API calls using Permit’s Admin SDK or UI.

6.5 Backend SDK Integration (server.js)

const { Permit } = require("permitio");

const permit = new Permit({
pdp: "https://cloudpdp.api.permit.io",
token: process.env.PERMIT_TOKEN,
});


app.post("/api/check-permission", async (req, res) => {
const { resource, user } = req.body;


try {
const allowed = await permit.check(user, "view", resource);
res.json({ permitted: allowed });
} catch (err) {
res.status(500).json({ error: "Permission check failed" });
}
});

6.6 Frontend Integration Example

In AdminDashboard.jsx, TeacherDashboard.jsx, etc:

useEffect(() => {
  fetch('https://your-backend-url.com/api/check-permission', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      resource: 'admin-dashboard',
      user: 'user2345', // Replace dynamically
    }),
  })
  .then(res => res.json())
  .then(data => {
    if (!data.permitted) {
      setAccessDenied(true);
    }
  });
}, []);

If denied:

if (accessDenied) return <h1>Access Denied</h1>;

6.7 Payload Structure

  • Request Payload:

{
  "user": "user2345",
  "resource": "admin-dashboard"
}

  • Response:

{
  "permitted": true
}

6.8 Security Notes

  • Keep PERMIT_TOKEN private via environment variables.

  • Never expose it in frontend code.

  • Validate roles both client-side and server-side for added security.

Permit’s hosted policy engine (PDP) to make dynamic access decisions.

Clone this wiki locally