@idpass/data-collect-core / RbacService
Class: RbacService
Defined in: services/RbacService.ts:66
Service for Role-Based Access Control (RBAC) enforcement.
Provides methods to check permissions based on the role hierarchy, area assignments, and action mappings. This service is stateless and operates on data provided as arguments, making it suitable for both client-side and server-side usage.
Constructors
Constructor
new RbacService():
RbacService
Returns
RbacService
Methods
hasPermission()
hasPermission(
userRole,requiredRole):boolean
Defined in: services/RbacService.ts:74
Check if a user's role meets the minimum required role level.
Parameters
userRole
The role assigned to the user.
requiredRole
The minimum role required for the operation.
Returns
boolean
true if the user's role level is >= the required role level.
canPerformAction()
canPerformAction(
userRole,action):boolean
Defined in: services/RbacService.ts:92
Check if a user can perform a specific action based on their role.
Parameters
userRole
The role assigned to the user.
action
The action the user wants to perform.
Returns
boolean
true if the user's role permits the action.
getUserEffectiveRole()
getUserEffectiveRole(
userId,tenantId,assignments):SystemRole|null
Defined in: services/RbacService.ts:108
Get the highest role a user holds in a specific tenant.
Parameters
userId
string
The user identifier.
tenantId
string
The tenant (program) identifier.
assignments
All role assignments to search.
Returns
SystemRole | null
The highest SystemRole for the user in the tenant, or null if none.
canAccessArea()
canAccessArea(
userId,tenantId,areaCode,assignments,areas):boolean
Defined in: services/RbacService.ts:149
Check if a user can access a specific area within a tenant.
Access is granted if the user has a global role, or if any of their assigned area codes match the target area or one of its ancestors in the area hierarchy.
Parameters
userId
string
The user identifier.
tenantId
string
The tenant (program) identifier.
areaCode
string
The area code to check access for.
assignments
All role assignments to search.
areas
Area[]
The area hierarchy for resolving parent relationships.
Returns
boolean
true if the user can access the area.
canAccessEntity()
canAccessEntity(
userId,tenantId,entityGuid,assignments,entityAreaCode,areas):boolean
Defined in: services/RbacService.ts:208
Check if a user can access a specific entity based on area assignments.
If the entity has no area assignment, access is granted to any user with at least one role in the tenant. If the entity has an area code, the user must have access to that area.
Parameters
userId
string
The user identifier.
tenantId
string
The tenant (program) identifier.
entityGuid
string
The entity identifier.
assignments
All role assignments to search.
entityAreaCode
The area code assigned to the entity, if any.
string | undefined
areas
Area[]
The area hierarchy for resolving parent relationships.
Returns
boolean
true if the user can access the entity.
getMinimumRoleForAction()
getMinimumRoleForAction(
action):SystemRole|null
Defined in: services/RbacService.ts:244
Get the minimum role required to perform a specific action.
Parameters
action
The action to look up.
Returns
SystemRole | null
The minimum SystemRole required, or null if the action is unknown.