Advanced RBAC Patterns

AuthSec SDK provides flexible Role-Based Access Control (RBAC) patterns to handle various authorization scenarios.

Basic RBAC Patterns

OR Logic - Any Permission Grants Access

@protected_by_AuthSec(
    "view_reports",
    roles=["admin", "manager", "analyst"],
    require_all=False  # Default: OR logic
)
async def view_reports(arguments: dict) -> list:
    return [{"type": "text", "text": "Business reports"}]

Accessible to: Users with admin OR manager OR analyst role

AND Logic - All Permissions Required

@protected_by_AuthSec(
    "deploy_production",
    roles=["admin", "deployer"],      # User needs admin OR deployer
    scopes=["write"],                 # AND user needs write scope
    resources=["production"],         # AND user needs production resource
    require_all=True                  # All conditions must pass
)
async def deploy_production(arguments: dict) -> list:
    return [{"type": "text", "text": "Deployment initiated"}]

Accessible to: Users with (admin OR deployer) AND write AND production resource

Advanced Patterns

Group-Based Access

@protected_by_AuthSec(
    "engineering_tools",
    groups=["engineering", "devops"]
)
async def engineering_tools(arguments: dict) -> list:
    return [{"type": "text", "text": "Engineering dashboard"}]

Accessible to: Users in engineering OR devops group

Complex Multi-Requirement Tool

@protected_by_AuthSec(
    "sensitive_operations",
    roles=["admin", "superuser"],
    groups=["security-team"],
    scopes=["write", "admin"],
    resources=["production", "sensitive-data"],
    require_all=True
)
async def sensitive_operations(arguments: dict) -> list:
    # Only accessible if ALL conditions are met:
    # - Has admin OR superuser role
    # - In security-team group
    # - Has write OR admin scope
    # - Has access to production AND sensitive-data resources
    return [{"type": "text", "text": "Sensitive operation completed"}]

Example Validation

# Tool 1: No RBAC - accessible to all authenticated users
@protected_by_AuthSec("calculator")
async def calculator(...) -> list:
    ...

# Tool 2: Requires admin role
@protected_by_AuthSec("admin_dashboard", roles=["admin"])
async def admin_dashboard(...) -> list:
    ...

# Tool 3: Requires write scope AND analytics resource
@protected_by_AuthSec(
    "view_analytics",
    scopes=["read"],
    resources=["analytics"],
    require_all=True
)
async def view_analytics(...) -> list:
    ...

For a user with roles=["admin"], scopes=["read", "write"], resources=["analytics"]:

✅ calculator - Accessible (all authenticated users)
✅ admin_dashboard - Accessible (has admin role)
✅ view_analytics - Accessible (has read scope + analytics resource)

Basic RBAC Patterns​

OR Logic - Any Permission Grants Access​

AND Logic - All Permissions Required​

Advanced Patterns​

Group-Based Access​

Complex Multi-Requirement Tool​

Example Validation​