Project 11: RBAC - Role-Based Access Control

Update Realm

Update to the latest minor version of Realm.

At the time I write this, it's 0.89.0-rc.1.

 "dependencies": {
    "@redocly/realm": "0.89.0-rc.1"
  }

RBAC: The next level of access control

The boss was impressed with how quickly we locked down the entire website! However, the flood of emails from confused "Viewers" that saw a cryptic error message highlighted a flaw in our approach: we need an alternative access control system that provides a smoother experience for everyone.

The new directive is clear: we only need to protect our most sensitive API documentation. For everything else, we should be open and accessible. This calls for a more surgical tool: Role-Based Access Control (RBAC).

Your task

1. RBAC implementation:

   • Open up: Remove the login requirement from the website, making the general API documentation public again.
   • Add the Admin API: Introduce a new "Admin API" section to your documentation. You'll need to create the OpenAPI specification for this API. Use any specification you can find.
   • Lock it down: Configure RBAC rules to protect the "Admin API," ensuring only users with the "Owner" or "Member" role in your organization can access it.

2. Verify protection:

   • Confirm that anonymous users can see the general API documentation but not the "Admin API."

Bonus challenge (optional)

Create a "Beta Testers" team in your Redocly organization. Grant this team access to the "Admin API." Invite some "Viewers" to this team. At this point, Owners, Members, and the specific Viewers in the "Beta Testers" team should have access to the "Admin API" content pages.

(Yes, the viewer experience isn't perfect yet, but Redocly is working on it, so let's be prepared!)

Debrief

Debrief on your experience.

• What made you smile?
• What did you find confusing?