Access Management

Introduction

Access management in SaaS applications refers to controlling who can access the application and what actions they can perform. This is achieved through roles and permissions, which grant different access levels to other users.

With ROQ's access management, you can:

• define roles and assign them to your users
• setup permissions and enforce them on your application.

What are roles and permissions?

Roles

Roles are assigned directly to users. You can easily read them in sentences like this:

• User Mary is an admin
• User Jane is a chef
• User John is a driver
• User Richard is a customer

A role is represented by its name. For example, you may define a role called owner and another role called member. You can also be more specific and use whatever term makes sense in your business, like a manager, chef, driver, or customer.

Permissions

Permissions define access to a specific type of object. For instance, you specify that the role manager has read access to the sales orders of a restaurant management application.

Each permission consists of:

• the restricted entity, like sales_order
• an operation, like read, create, update, or delete
• and a scope, like all, own, or tenant

How it works

Roles and permissions are defined in the ROQ Console (opens in a new tab). Generally, permissions grant access to objects, e.g., a customer is allowed to make an order. You can specify the operation (read, create, update, and delete) and set the scope. The scope determines if a user has access to either all records, only the own records, or to records related to the own account (~ tenant). These permissions are automatically enforced on all UI Components and APIs of ROQ and can also be applied on the project's user interface and queries.

Some steps of preparation are needed. First, you must declare your custom domain objects with relations in ROQ Console and define your permissions based on these objects.

Technically, the access management works based on a query plan which ROQ computes based on the current user's permissions and your database tables. The SDK is caching this information locally and only refreshes it periodically. This way, your application is independent of the availability of the ROQ Platform. Furthermore, there is no need to send all your data. ROQ only needs to know the schema of your database; the actual queries will be performed on your side.

You can use two functions of the SDK in your project: hasAccess and buildQueryPlan

Check if a user has access to an object.

The hasAccess method returns true if a user has access to something; otherwise false. You can use it for any object, whether it's an entity from your database, a URL, or a user interface component. See hasAccess SDK for more details.

Filter down data of a query

When you retrieve data from your database, you'll often need to filter it by the user's role. For example, let’s say you have a REST endpoint called /rented-cars which returns a list of rented cars. Depending on the user's role, the result will be different: an admin will see all the rented cars, while a customer will see only their rented cars. This can result in complicated WHERE conditions, especially if you have more than these two simple roles.

For this scenario, ROQ provides a query builder that automatically creates the required conditions. Using our ORM adapter, this can be easily integrated into your project. The generated queries can become quite complex if you have a deep schema. You can read more details about this method here: buildQueryPlan SDK

Project's permissions

To define permission for your own application, you need to select an object type (e.g., salesOrder). If you don't find the required object in the dropdown, then it wasn't declared in the preparation.

For each object, you can set the access level:

ROQ Platform permissions

Permissions that are applied on ROQ's side are defined similarly. Scopes: