App Logo
Plugins

Access Control Plugin

Overview

The Access Control plugin provides a comprehensive Role-Based Access Control (RBAC) system for managing authorization in your application. It enables you to define roles, assign permissions to those roles, and grant roles to users, creating a flexible and scalable authorization model.

What It Does

  • Role Management — Create, update, and delete roles that group related permissions
  • Permission Management — Define fine-grained permissions with unique keys
  • Role-Permission Mapping — Associate permissions with roles and manage bulk updates
  • User Authorization — Assign roles to users and query their effective permissions
  • Audit Tracking — Track who granted permissions and assigned roles

The plugin uses a hierarchical model: Users → Roles → Permissions, allowing you to manage authorization at any level and simplifying policy changes across multiple users.

Configuration

Standalone Mode

[plugins.access_control]
enabled = true

Library Mode

accesscontrolplugin "github.com/Authula/authula/plugins/access-control"
accesscontrolplugintypes "github.com/Authula/authula/plugins/access-control/types"

accesscontrolplugin.New(accesscontrolplugintypes.AccessControlPluginConfig{
  Enabled: true,
})

API Reference

Roles Management

HTTP MethodRoute PathDescription
POST/access-control/rolesCreate a new role
GET/access-control/rolesList all available roles
GET/access-control/roles/{role_id}Get a role by ID
PATCH/access-control/roles/{role_id}Update a role
DELETE/access-control/roles/{role_id}Delete a role

Permissions Management

HTTP MethodRoute PathDescription
POST/access-control/permissionsCreate a new permission
GET/access-control/permissionsList all permissions
PATCH/access-control/permissions/{permission_id}Update a permission
DELETE/access-control/permissions/{permission_id}Delete a permission

Role-Permission Mapping

HTTP MethodRoute PathDescription
POST/access-control/roles/{role_id}/permissionsAdd a single permission to a role
GET/access-control/roles/{role_id}/permissionsGet all permissions assigned to a role
PUT/access-control/roles/{role_id}/permissionsReplace all permissions of a role (bulk update)
DELETE/access-control/roles/{role_id}/permissions/{permission_id}Remove a permission from a role

User Access & Permissions

HTTP MethodRoute PathDescription
GET/access-control/users/{user_id}/rolesGet all roles assigned to a user
POST/access-control/users/{user_id}/rolesAssign a role to a user
PUT/access-control/users/{user_id}/rolesReplace all roles of a user (bulk update)
DELETE/access-control/users/{user_id}/roles/{role_id}Remove a role from a user
GET/access-control/users/{user_id}/permissionsGet all effective permissions for a user (merged from all assigned roles)

Database Schema

This plugin creates the following database tables:

Table: access_control_roles

FieldTypeKeyDescription
idstringPKUnique identifier for the role
namestring-Name of the role
descriptionstring?-Role description
is_systemboolean-Whether role is system-managed
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: access_control_permissions

FieldTypeKeyDescription
idstringPKUnique identifier for permission
keystring-Permission key identifier
descriptionstring?-Permission description
is_systemboolean-Whether permission is system-managed
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: access_control_role_permissions

FieldTypeKeyDescription
role_idstringPKRole identifier
permission_idstringPKPermission identifier
granted_by_user_idstring?FKUser who granted the permission
granted_attimestamp-Time when permission was granted

Table: access_control_user_roles

FieldTypeKeyDescription
user_idstringPKUser identifier
role_idstringPKRole identifier
assigned_by_user_idstring?FKUser who assigned the role
assigned_attimestamp-Time when role was assigned
expires_attimestamp?-Time when role assignment expires

Migrations are automatically handled when the plugin is initialized.

Event Driven Architecture

Previous Page

Admin Plugin

Next Page

On this page

OverviewWhat It DoesConfigurationStandalone ModeLibrary ModeAPI ReferenceRoles ManagementPermissions ManagementRole-Permission MappingUser Access & PermissionsDatabase Schema