Skip to main content
Version: Current

Access Control

Clients

The clients of your services are simply the users or services facing the application.

Users

For human clients, when they attempt to access the application, a login screen will be presented to them.

Third-party Services

For clients that are applications themselves, a JWT ticket authentication mechanism will be proposed. Specifically, 2 endpoints:

  • An endpoint to authenticate.

  • An endpoint to refresh the authentication token.

RBAC

Role-Based Access Control (RBAC) is an access control mechanism that defines the roles for each user.

ARCHWAY offers a simple mechanism to manage them.

This management is said to be flat. Indeed, there are hierarchical role management systems. But this quickly becomes very difficult to manage. We have therefore chosen a non-hierarchical management of roles. A mechanism called Group described later still allows grouping roles.

Roles

A role should by its name evoke the action it authorizes and the business object it applies to. Also, roles should be as atomic as possible.

For example, it is better to create:

  • MANAGER_USER
  • VIEWER_USER
  • MANAGER_GROUP
  • VIEWER_GROUP

Rather than this:

  • ADMIN
  • VIEWER

Groups

To facilitate the association of roles to users, an abstraction called group allows grouping them.

Several roles can be associated with a group and several groups can be associated with a user.

To put it simply, one can imagine that the administrator group will have many more roles than the operator group of the application.

A group is therefore a grouping of roles.

note

It is the groups that will be associated with users and not the roles directly.

note

The groups are associated with users within organizations.

Two-factor Authentication

Two-factor authentication is a mechanism that increases the security of user accounts.

A QR Code is generated by the server. The user scans it with their authentication app, like Google Authenticator, Authy, or others.

After a successful authentication, the user is invited to enter the code generated by the dedicated app. This code is time-constrained.

The user can choose to save the browser as trusted, which will avoid asking for the code on their next connection.