This is a submission for the Permit.io Authorization Challenge: Permissions Redefined

What I Built

Hi there! 👋
Presenting to you "Radhika's DocManager": A secure Document Management System (or DMS) with fine-grained authorization powered by Permit.io.

logo

This is the first version of Radhika's DocManager, which allows you to create, read, write, and delete documents based on their role and document ownership.

Features

  • Role-Based Access Control (RBAC): Different roles (Admin, Editor, Viewer) have different permissions
  • Attribute-Based Access Control (ABAC): Document owners have special privileges
  • Fine-Grained Authorization: Using Permit.io to implement complex authorization rules
  • Next.js App Router: Modern React application with server components and server actions
  • Responsive UI: Using Tailwind CSS and shadcn/ui components

Authorization Model

The application implements the following authorization model:

  • Admin: Can create, view, edit, and delete any document, and access the admin panel
  • Editor: Can create, view, and edit documents, but can also delete their own documents
  • Viewer: Can only view documents

Additionally, document owners have full control over their own documents regardless of their role.

 

Demo

 

Project Repo

https://github.com/RS-labhub/Document_Management_System
 

My Journey

Creating a DMS was a very hectic job, especially while writing the access control. Thanks to Permit, which makes it easier and serves as a super time saver.

The thing that focused more on this application is the "Use of Permit". This also proves how a simple application becomes so powerful by adding access controls.

Anyway, the project is open-source. If you want to contribute, you're warmly welcome.

 

Using Permit.io for Authorization

permit use

I used Permit to achieve two things:

  • Role-Based Access Control or RBAC
  • Attribute-Based Access Control or ABAC

In the RBAC policy, 3 roles are created: Admin, Editor, and Viewer. The properties/permissions of each role are mentioned in the image.

In the ABAC policy, access is determined by document attributes and user context.

If you want to see the whole implementation of the Permit, please read the project Readme file!

 

Conclusion

A huge thanks to @jennie_py for their contribution to this project!

This project demonstrates how to implement fine-grained authorization in a Next.js application using Permit.io. By externalizing authorization, we can create more secure, maintainable, and flexible applications.

Thank you for reading this so far! Your support means the world to us. ❣️