Skip to main content

Overview

Risk Legion implements Role-Based Access Control (RBAC) at multiple layers: API middleware, database Row-Level Security (RLS), and frontend route protection. This multi-layer approach ensures comprehensive security.

Role Hierarchy

User Roles

Super Admin

Client Admin

Assessor

Reviewer

Permission Matrix

BRA Operations

Governance Operations

Admin Operations

RBAC Implementation Layers

Layer 1: API Middleware

Layer 2: Database RLS

Layer 3: Frontend Route Protection

Entity Assignment

Assigning Entities to Users

Checking User Access

Role Resolution

Getting User Role

Applying Role to Queries

Audit Logging

All permission checks are logged:

Best Practices

  • Grant minimum necessary permissions
  • Use specific entity assignments
  • Regularly review access
  • Remove access promptly when roles change
  • Implement RBAC at all layers
  • Don’t trust frontend-only validation
  • Use database RLS as final guard
  • Log all access attempts
  • Document role responsibilities
  • Train users on their permissions
  • Audit role assignments regularly
  • Use clear role naming
  • Test each role’s access paths
  • Verify denial cases
  • Test entity-level isolation
  • Regular security reviews