-
Notifications
You must be signed in to change notification settings - Fork 0
User Roles and Permissions
Kasun Ranasinghe edited this page Sep 8, 2025
·
1 revision
This comprehensive guide explains the Role-Based Access Control (RBAC) system implemented in the Flux Gate, including roles, permissions, and access patterns.
The Flux Gate implements a sophisticated RBAC system that controls access to different features and actions based on user roles. The system uses JWT tokens to manage authentication and authorization, with roles embedded in the token payload.
Full system access with all permissions
- β Complete user management (create, edit, delete users)
- β Team management (create, edit teams)
- β Environment management (all environments)
- β Feature toggle management (all features)
- β Pipeline management (all pipelines)
- β Context management (all contexts)
- β Client management (all clients)
- β Role assignment and management
- β System configuration
- β Request and approve stage changes
- Settings Menu: Full access to all settings
- Teams Menu: Full visibility and management
- Feature Management: All features across all teams
- Deployment Control: Can request and approve deployments
Team and user management capabilities
- β User management within team scope
- β Team management (create, edit teams)
- β View team members and roles
- β Assign users to teams
- β Manage team-specific resources
β οΈ Limited to team-scoped operations
- Settings β Teams: Visible and accessible
- Settings β Users: Visible and accessible
- Team Features: Can manage features within assigned teams
- User Assignment: Can assign users to their teams
Deployment approval and rejection capabilities
- β Approve deployment requests (DEPLOYMENT_REQUESTED β DEPLOYED)
- β Reject deployment requests (DEPLOYMENT_REQUESTED β DEPLOYMENT_REJECTED)
- β Approve rollback requests (ROLLBACK_REQUESTED β ROLLBACKED)
- β Reject rollback requests (ROLLBACK_REQUESTED β ROLLBACK_REJECTED)
- β View feature status and deployment history
- β Cannot initiate deployment requests
- Deployment Approval: Review and approve deployment requests
- Deployment Rejection: Reject inappropriate deployment requests
- Rollback Approval: Approve rollback requests when issues occur
- Rollback Rejection: Reject unnecessary rollback requests
Deployment and rollback request capabilities
- β Request deployment (NOT_DEPLOYED β DEPLOYMENT_REQUESTED)
- β Request rollback (DEPLOYED β ROLLBACK_REQUESTED)
- β View feature status and deployment pipeline
- β Cannot approve or reject requests
- Request Deployment: Initiate deployment requests for features
- Request Rollback: Request rollback when issues are detected
- Status Monitoring: Monitor deployment status and pipeline progress
In addition to role-based permissions, the system includes an is_admin boolean flag in JWT tokens:
-
JWT Field:
is_admin: boolean - Purpose: Grants admin-level access regardless of assigned roles
- Priority: Takes precedence over role-based permissions
- Fallback: Provides admin access even without explicit Admin role
{
"sub": "user123",
"username": "john.doe",
"roles": ["Requester"],
"is_admin": true,
"exp": 1672531200,
"iat": 1672444800
}In this example, even though the user only has "Requester" role, the is_admin: true flag grants full admin access.
The system implements a structured approval workflow for feature deployments:
- Initiate Request: User with Requester role submits deployment/rollback request
-
Status Change: Stage status changes to
DEPLOYMENT_REQUESTEDorROLLBACK_REQUESTED - Notification: Request appears in approver queues
- Review Request: Approver reviews the deployment request
- Decision: Approver chooses to approve or reject
-
Status Change: Stage status changes to final state (
DEPLOYED,ROLLBACKED, etc.) - Notification: Requester notified of decision
NOT_DEPLOYED ββ[Requester]βββ DEPLOYMENT_REQUESTED
β β
β [Approver]
β β
βββββββ DEPLOYMENT_REJECTED ββββ΄βββ DEPLOYED
β
[Requester]
β
ROLLBACK_REQUESTED
β
[Approver]
β
ROLLBACK_REJECTED ββββ ROLLBACKED
| Action | Admin | Team Admin | Approver | Requester |
|---|---|---|---|---|
| Create Features | β | β (Team) | β | β |
| Edit Features | β | β (Team) | β | β |
| View Features | β | β (Team) | β (Team) | β (Team) |
| Delete Features | β | β (Team) | β | β |
| Action | Admin | Team Admin | Approver | Requester |
|---|---|---|---|---|
| Request Deployment | β | β | β | β |
| Approve Deployment | β | β | β | β |
| Request Rollback | β | β | β | β |
| Approve Rollback | β | β | β | β |
| Function | Admin | Team Admin | Approver | Requester |
|---|---|---|---|---|
| User Management | β | β | β | β |
| Team Management | β | β | β | β |
| Environment Management | β | β | β | β |
| System Configuration | β | β | β | β |
The system provides utilities for checking user permissions:
import { useAuth } from '@/hooks/useAuth';
const MyComponent = () => {
const {
canRequestStageChange,
canApproveStageChange,
canAccessTeamsManagement,
isAdmin
} = useAuth();
return (
<div>
{canRequestStageChange && (
<button>Request Deployment</button>
)}
{canApproveStageChange && (
<button>Approve Request</button>
)}
{isAdmin && (
<button>Admin Panel</button>
)}
</div>
);
};import { hasRole, ROLES, getCurrentUser } from '@/utils/auth';
// Check specific role
if (hasRole(ROLES.REQUESTER)) {
console.log('User can request stage changes');
}
// Check admin status (role OR flag)
if (hasRole(ROLES.ADMIN) || isAdmin()) {
console.log('User has admin access');
}
// Get complete user info
const user = getCurrentUser();
console.log('User roles:', user?.roles);{
"sub": "user123",
"username": "john.doe",
"roles": ["Team Admin", "Requester"],
"is_admin": false,
"exp": 1672531200,
"iat": 1672444800
}{
"sub": "admin123",
"username": "admin.user",
"roles": ["Admin"],
"is_admin": true,
"exp": 1672531200,
"iat": 1672444800
}The system provides visual indicators for user roles:
- π΄ Admin (red indicator)
- π΅ Approver (blue indicator)
- π’ Requester (green indicator)
- π£ Team Admin (purple indicator)
When users lack permissions, the UI shows helpful messages:
- "Requester role required to make requests"
- "Approver role required to review requests"
- "Team Admin privileges needed to access this page"
- Server Validation: All role checks must be validated on the backend
- JWT Verification: Server must verify JWT tokens and roles
- API Protection: All API endpoints must implement proper authorization
- Token Security: Use secure token storage and transmission
- Principle of Least Privilege: Assign minimum necessary roles
- Role Auditing: Regularly review user role assignments
- Token Expiration: Implement reasonable token expiration times
- Secure Storage: Store JWT tokens securely (localStorage with proper domain restrictions)
Roles are assigned through the user management interface:
- Edit User: Access user editing mode
- Roles Tab: Navigate to roles section
- Select Roles: Choose appropriate roles
- Multiple Roles: Users can have multiple roles
- Save Changes: Apply role assignments
Common role combinations:
| Combination | Use Case |
|---|---|
| Requester + Approver | Developer who can request and approve own work |
| Team Admin + Approver | Team lead with approval authority |
| Admin | System administrator (has all permissions) |
- User Management - Creating and managing users
- Team Management - Team organization and management
- Stage Approval Workflow - Detailed workflow documentation
- Authentication & Login - Login and session management
Need help? Check the Troubleshooting guide or create an issue in the project repository.