ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor/tasks/task-24-1-4-role-based-access-control
TASK

Implementation

RBAC assigns permissions to roles and roles to users. A user can perform an action on a resource only if they hold a role that grants that permission. Admins have a wildcard that grants everything.

Implement a node that enforces RBAC:

// Check if user can write to posts
{ "type": "check_permission", "msg_id": 1,
  "user_id": "user123", "resource": "posts", "action": "write" }
-> { "type": "permission_check", "in_reply_to": 1,
    "allowed": true, "permission": "posts.write" }

// Admin wildcard grants any permission
{ "type": "check_permission", "msg_id": 2,
  "user_id": "admin123", "resource": "settings", "action": "delete" }
-> { "type": "permission_check", "in_reply_to": 2,
    "allowed": true, "reason": "admin has wildcard permission" }

// Assign a role to a user
{ "type": "assign_role", "msg_id": 3,
  "user_id": "user123", "role": "moderator" }
-> { "type": "role_assigned", "in_reply_to": 3,
    "user_id": "user123", "role": "moderator",
    "roles": ["user", "moderator"] }

// Owner can always edit their own resource
{ "type": "check_ownership", "msg_id": 4,
  "user_id": "user123", "resource": "posts",
  "resource_id": "post123", "action": "edit" }
-> { "type": "ownership_check", "in_reply_to": 4,
    "allowed": true, "reason": "resource owner" }

Sample Test Cases

Check user permissionTimeout: 5000ms
Input
{
  "src": "api",
  "dest": "rbac",
  "body": {
    "type": "check_permission",
    "msg_id": 1,
    "user_id": "user123",
    "resource": "posts",
    "action": "write"
  }
}
Expected Output
{"type": "permission_check", "in_reply_to": 1, "allowed": true, "permission": "posts.write"}
Admin wildcard permissionTimeout: 5000ms
Input
{
  "src": "api",
  "dest": "rbac",
  "body": {
    "type": "check_permission",
    "msg_id": 1,
    "user_id": "admin123",
    "resource": "settings",
    "action": "delete"
  }
}
Expected Output
{"type": "permission_check", "in_reply_to": 1, "allowed": true, "reason": "admin has wildcard permission"}

Hints

Hint 1
Permission format: resource.action (e.g. "posts.write", "settings.delete")
Hint 2
Admin role has wildcard permission "*" which grants access to everything
Hint 3
assign_role adds the role to the user and returns the updated full roles list
Hint 4
check_ownership: users can always perform actions on resources they own
Hint 5
allowed is true if the user has the required permission OR is the resource owner

Resources

Role-Based Access Control
RBAC model: roles, permissions, and assignment
OWASP Authorization
OWASP Authorization Cheat Sheet
OVERVIEW

Theoretical Hub

Concept overview coming soon

Key Concepts

RBACrolespermissionsresource ownershipwildcard permissions
main.py
python
Implement Role-Based Access Control (RBAC) - The Securitor | Build Distributed Systems