I am working on building a multi-tenant application using firebase. When creating the application, I create an RBAC model that allows users to be separated from several organizations and assigns several roles within each organization. Each role assigns resources to which the user must have access.
Given the structure of firebase, as shown below, how can I create the correct firebase security rule that will determine if a user has access to a resource in a given organization?
organizations org1UUID about staff uid1 roles ViewerRoleUUID about type: "view" resources DashboardUUID: "true" SomeSettingsUUID: "true" MoreResourcesUUID: "true" SysAdminUUID about.. type: "full" resources: AdminAreaUUID: "true" DashboardUUID: "true" SomeSettingsUUID: "true" type: "admin" org2UUID...<repeat of above> users uid1 authinfo organizations org1UUID roles ViewRoleUUID: "true" SysAdminUUID: "true" org2UUID roles AnotherRoleUUID: "true"
Since firebase does not support many of the many rule searches, I donβt see the way, even if I change the data model about how this will be possible. I donβt even see a way to access all the children of the node. I was thinking about copying resources for user data as well, but I could not find a way to access the children of any node without knowing the name or identifier of the node. All the implementations that I have seen only allow the user to be separate from one role and ultimately do something like
".read": "(root.child('users/' + auth.uid + '/organizations/' + $organization).child('role').val() === "viewer"), ".write": "(root.child('users/' + auth.uid + '/organizations/' + $organization).child('role').val() === "admin")"
The above example will only work if the user has been assigned one role. However, if the user needs to be separated from two or more roles depending on the resources that the user needs to access this, this will not work.
Initially, I thought about simply copying information about a role, including its type and list of resources for each user. The problem is that even if the data structure has been moved or copied to the user, a search to see if the user has access to the resource will still be allowed when trying to search all user roles for a given company to determine if the user has access,
source share