RENEWA Knowledge Base

RBAC Authorization

2 min read

RBAC Authorization

Role-Based Access Control system governing who can access and modify resources across Projects, Buildings, and Scenarios.

Architecture

LayerLocation
Ownership guardsbackend/src/lib/ownership-guards.ts
RBAC middlewarebackend/src/middleware/rbac.ts
Department accessbackend/src/lib/department-access.ts
Permissions hookfrontend/src/hooks/usePermissions.ts
Auth store (RBAC helpers)frontend/src/store/auth.ts
Role constantsshared/constants.ts

Database Tables

TablePurpose
projectRolesUser-to-project role assignments
buildingRolesUser-to-building role assignments

User Types

TypeAccess Level
AdminFull system access, all configuration
EmployeeInternal team, department-scoped access
CraftsmanPartner access to assigned projects
PartnerExternal partner with limited project visibility

Access Verification Functions

Current (RBAC-aware) — defined in backend/src/lib/ownership-guards.ts:

FunctionChecks
verifyProjectAccess()User has role on the project
verifyBuildingAccess()User has role on the building (or its project)
verifyScenarioAccess()User has role on the scenario’s parent project
require* aliasesSame checks, throw on failure

Deprecated (bypass RBAC) — do NOT use:

  • verifyProjectOwnership() — checks ownership only, ignores roles
  • verifyBuildingOwnership() — same problem
  • verifyScenarioOwnership() — same problem

Frontend Permissions

frontend/src/hooks/usePermissions.ts provides reactive permission checks for conditional UI rendering (show/hide buttons, routes, menu items).

The Zustand auth store at frontend/src/store/auth.ts exposes helper methods:

  • isTeamAdmin() — full admin privileges
  • isTeamLead() — team lead within department
  • canCreateUsers() — user creation permission
  • canDeactivateUsers() — user deactivation permission

Department-Based Access

backend/src/lib/department-access.ts adds a department dimension to access control. Users in specific Departments can access resources assigned to their department, even without explicit project/building roles.

Middleware Integration

backend/src/middleware/rbac.ts integrates with the Middleware Stack to enforce authorization on every request. Applied after Authentication middleware but before route handlers.

Graph View

Backlinks