Skip to main content

Access management with user roles and permissions

Assign roles and permissions to users to control access to resources. SecureAuth Connect supports two patterns that are often used together: role-based checks against token claims, and Zanzibar-based permission checks against a relationship graph.

User permissions

SecureAuth's permission model is Zanzibar-based. It stores access as relationships between subjects and objects and evaluates decisions by walking the resulting graph. This model is the right fit for object-level access that depends on ownership, membership, or hierarchy.

For the full capability, see Permission systems and Fine-Grained Access (FGA).

Roles

Define roles as user attributes on the identity schema. Map the role attribute into the access token as a claim, and let policies read the claim at token time or at the gateway to allow or deny. Changing a user's role is a single attribute update; the next token they receive carries the new role.

For setup steps and an end-to-end example, see Role-Based Access Control (RBAC).