Role-Based Access Control (RBAC) 🛡️
This document explains how Role-Based Access Control (RBAC) is implemented in ShopVerse to ensure secure, predictable, and maintainable authorization across all microservices.
RBAC defines who can do what in the system.
🎯 Why RBAC in ShopVerse?
RBAC is used to:
- Prevent unauthorized access
- Protect sensitive operations
- Simplify authorization logic
- Maintain consistent security rules
- Support scalable permission management
RBAC fits naturally with JWT-based authentication and microservices architecture.
🧠 RBAC Strategy (High-Level)
ShopVerse uses a two-layer RBAC model:
- API Gateway – Coarse-Grained Control
- Microservices – Fine-Grained Control
This balances security and flexibility.
👥 Roles Defined
| Role | Description |
|---|---|
ADMIN | System administrator with full access |
CUSTOMER | End user with limited privileges |
Roles are stored in the User Service and embedded into the JWT token.
🔐 Role Propagation Flow
🧩 Gateway-Level RBAC
At the API Gateway:
- Public routes are allowed without authentication
- Protected routes require JWT
- Admin-only routes are restricted by role
Examples:
| Route | Access |
|---|---|
GET /api/products | Public |
POST /api/orders | CUSTOMER |
POST /api/products | ADMIN |
The gateway blocks requests before they reach services.
🛡️ Service-Level RBAC
Inside each microservice:
- A custom authentication filter builds
SecurityContext X-User-Roleis mapped to authorities- Role checks are enforced at controller/service level
Example Rules:
| Service | Role | Action |
|---|---|---|
| Product | ADMIN | Create / Update / Delete |
| Order | CUSTOMER | Place order |
| Order | ADMIN | Update order status |
| Analytics | ADMIN | View analytics |
| Notification | CUSTOMER | View own notifications |
🧠 Ownership-Based Authorization
RBAC is combined with ownership checks.
Example:
- CUSTOMER can access only their own data
- Ownership validated using
X-User-Email
This prevents horizontal privilege escalation.
🔄 RBAC Enforcement Flow
⚠️ Failure Scenarios
| Scenario | Response |
|---|---|
| Missing role | 403 Forbidden |
| Invalid role | 403 Forbidden |
| Unauthorized access | 403 Forbidden |
RBAC failures never expose sensitive information.
🛡️ Security Best Practices Followed
- Roles are immutable during request lifecycle
- No hard-coded role logic in gateway filters
- Centralized role definition
- Least privilege principle
- Clear separation between auth & business logic
❌ Why Not Permission-Based ACL?
ShopVerse intentionally avoids fine-grained ACLs because:
- Complexity increases rapidly
- Harder to reason about
- Not required for current system scale
RBAC is:
- Simpler
- Easier to maintain
- Sufficient for ShopVerse use cases
📈 Scalability Considerations
- RBAC checks are lightweight
- No DB calls during authorization
- Works seamlessly with horizontal scaling
- Easy to add new roles in future
🧠 Interview Explanation (One-Liner)
“We enforce RBAC at both the API Gateway and service level, using JWT role claims and trusted headers to ensure secure and consistent access control.”
📌 Summary
The RBAC model in ShopVerse ensures:
- Secure access to APIs
- Clear role responsibilities
- Protection against privilege escalation
- Consistent authorization across services
RBAC acts as the authorization backbone of the platform.