Research and Writeup RBAC Systems

[nelsonic]

As part of #31 / #27 and for dwyl/smart-home-auth-server#1 we need RBAC ASAP!
This issue is a sub-task of the Epic #31 specifically for researching and writing up so that our RBAC system is beginner-friendly (understandable by a complete beginner or non-technical person) and can be used by any project that needs it.

Todo

• Read everything I can find (available for free online) on RBAC systems.

  Given that this is a reasonably "solved" problem - as in RBAC has been around for decades - what matters is the UX/UI of how it is presented to the people using the system.

• Write up RBAC from first principals similar to dwyl/learn-json-web-tokens so that anyone can understand it.
• Assign PR for review: PR: RBAC Role Based Access Control #27 #31 #82 #85

“I didn’t have time to write you a short letter, so I wrote you a long one.” ~ Mark Twain

Note: I expect this to take me around T4h to do all the reading, synthesis and writeup. 🔍 + 💭 + ✍️
Obviously it could take less time if I only had 20 mins before an essay deadline. ⏳ (but the end result would be meh!)
I want to write something that will take around 10 mins for others to read, and my guideline for how long it takes to write something that takes Y mins to read is that it will take X hours to write. Usually a tutorial that takes someone 1h to read/follow takes me a couple of days (so 20h) to write.
So the 20:1 ratio is my guideline. 10 mins to read = 200 mins to research and write.
My objective is to write something that a few thousand people will read.
If I respect the time of others (the way I hope they respect mine), then I will make the best effort to not confuse them. Wasting 1 minute for a thousand people is 16 hours. Many lifetimes are being wasted one click/swipe/scroll at a time by an Evil Corp who's business model is to "consume as much of your time and conscious attention as possible." ... I want to do the opposite! I want to help people to focus on what matters to them not distract them with instant gratification. 🤳
It's better that I spend a bit more of my time to save the time of others.
Obviously this is not factoring in all the time that I spent auditing RBAC systems for banks and other large organisations while at Expolitte. I have a decent amount of experience/knowledge already, but I'm applying Shoshin to this as I do with everything else. Anyway ... let's get to it!! 🏃

[nelsonic]

I have re-read loads of docs for popular systems that feature RBAC, e.g:

• Wordpress: https://wordpress.org/support/article/roles-and-capabilities/
• Drupal: https://www.drupal.org/docs/7/managing-users/user-roles + https://www.drupal.org/node/1785994
• Salesforce: https://help.salesforce.com/articleView?id=pardot_default_user_roles.htm
• Magento: https://docs.magento.com/user-guide/system/permissions-user-roles.html
• Joomla: https://cms2cms.com/blog/user-roles-in-wordpress-and-joomla-explained

And summarised the info in the role-based-access-control.md doc which is on my current branch.

I have defined 7 default roles based on a combination of the best of all those I read:

id	name	desc	person_id
1	superadmin	Can CREATE new roles. Can CREATE, UPDATE and DELETE Any content. Can PURGE deleted items. Can "ban" any user including people with "Admin" Role.	1
2	admin	Can create new roles and assign existing roles. Can CREATE, UPDATE and DELETE any content. Can "ban" any user except people with "admin" Role. Can see deleted content and un-delete it. Cannot purge deleted. This guarantees audit-trail.	1
3	editor	Can CREATE and UPDATE Any content. Can "DELETE" content. Cannot see deleted content.	1
4	creator	Can CREATE content. Can UPDATE their own content. Can DELETE their own content.	1
5	commenter	Can COMMENT on content that has commenting enabled.	1
6	subscriber	Can SUBSCRIBE to receive updates (e.g: newsletter), but has either not verified their account or has made negative comments and is therefore not allowed to comment.	1
7	banned	Can login and see their past content. Cannot create any new content. Can see the reason for their banning (which the Admin has to write when performing the "ban user" action. usually linked to a specific action the person performed like a particularly unacceptable comment.)	1

Note: the person_id for all the default roles is that of the superadmin created during setup.
Other custom roles will have the person_id of the admin that creates them.

The first 3 roles closely matches WordPress:
https://wordpress.org/support/article/roles-and-capabilities
We have renamed "author" to "creator" to emphasize the creative part
and the fact that we will allow for various types of content not just "posts".
We have added a "commenter role as an "upgrade" to subscriber,
to indicate that the person has the ability to comment on content.
Finally, we have added the concept of a "banned" role
that still allows the person to login and view their own content,
but they have no other privileges.

For the purposes of our @home security system (that prompted the prioritisation of rbac) dwyl/smart-home-auth-server#1 the relevant default roles will be superadmin and admin. The superadmin can add new doors (NFC/RFID readers) to the system and the admin can add new devices. If we end up needing more custom roles/permissions, we will have the UI to do that. The regular people using the security system will have the creator or subscriber role as part of their usage of the dwyl app which will grant them access to the building. However their role will not be relevant because the auth server will check if they have access to the specific door.

[nelsonic]

#85 merged. Closing. ✅