Role-based access control (RBAC) is crucial in managing and securing access to resources within an organization. By assigning roles based on job functions rather than individual user permissions, RBAC ensures that users have the necessary access to perform their duties without exposing sensitive data or systems to unnecessary risk. This approach simplifies the management of user permissions, reduces the likelihood of human error, and enhances compliance with regulatory requirements by enforcing the principle of least privilege. Implementing RBAC helps organizations maintain a structured and secure environment, where access is clearly defined and easily auditable.
At Type CMS, role-based access control is central to our platform, ensuring robust security practices and comprehensive authentication measures for all organizations, teams, and users.
Role-based access control in Type CMS is simple. Below we'll create two roles, or in the case of Type CMS, groups. We'll start with an admin group for users who should have all permissions to a project, and finally a group for our developers. Once a group is created we can add our users to the group. Note that users can belong to more than one group and project owners have full admin access by default. Group permissions can also apply to API keys.
Creating our admin role
First, let's create a new group in our project called "Admin".
By default, groups have no permissions. To add our first permission for this group, click Attach new permission to group. You will get the following modal that allows you to easily build the permission you would like to attach to the group.
You can set permissions on individual resources such as entries, templates, assets, etc., or you can make your permissions even more granular by applying the permission rule to specific items within these resources, such as denying access to update or publish a specific entry, or, allowing read permissions for templates but denying create, update, and delete access.
Because our first group we are creating is for admins, we will allow access to everything in the project.
This will Allow all actions on all resources. Notice the permission summary in the left column as you adjust the rule. The permission summary will help you understand the permission you are applying to the group.
Next click Create. You will now see the permission Full access that we just created for our group. Hit Save changes to apply the changes to the group.
Creating our developer role
Next, we'll create a group for developers. We want our developers to be able to access all necessary resources to connect our project to our application but don't want them to be able to manage users, or make any changes to our project that aren't necessary to complete their tasks. Because Type CMS follows the rule of least-privilege, we can simply create permission rules for our developer group that Allow access vs. having to create permission rules for every resource in our project.
Let's start by creating a new group called Developers.
Next, we'll add our permission rules to the group. Our first rule we'll create is the ability to create, read, update, or, delete API keys. Here's an example of what this looks like in the permission builder.
Since we are giving our developers full access to API keys in our project, under step 4 (select actions) in the permission builder, we can leave these deselected. By leaving these empty, we are applying all actions to the selected effect and resource above. We want to apply this rule to all API keys, so we are also leaving step 3 (Select api key conditions) empty.
We'll repeat this step for entries, templates, asset, environments, and webhooks. When complete, our group will now have all the necessary permissions for our developers to connect our project to our application.
Type CMS simplifies this process further by providing admin, developer, and content manager group options during the project onboarding step after creating a new project in your organization.
Groups can also be applied to API keys, making it easier to share permissions across not just users, but different aspects of your application as well. Simply select an API key and choose which roles, or groups, you would like to be attached to the API key. Note that these are the same groups found in the groups section of your project.