Overview
Risk Legion implements Role-Based Access Control (RBAC) at multiple layers: API middleware, database Row-Level Security (RLS), and frontend route protection. This multi-layer approach ensures comprehensive security.Role Hierarchy
User Roles
Super Admin
Client Admin
Assessor
Reviewer
Permission Matrix
BRA Operations
Governance Operations
Admin Operations
RBAC Implementation Layers
Layer 1: API Middleware
Layer 2: Database RLS
Layer 3: Frontend Route Protection
Entity Assignment
Assigning Entities to Users
Checking User Access
Role Resolution
Getting User Role
Applying Role to Queries
Audit Logging
All permission checks are logged:Best Practices
Principle of Least Privilege
Principle of Least Privilege
- Grant minimum necessary permissions
- Use specific entity assignments
- Regularly review access
- Remove access promptly when roles change
Defense in Depth
Defense in Depth
- Implement RBAC at all layers
- Don’t trust frontend-only validation
- Use database RLS as final guard
- Log all access attempts
Role Management
Role Management
- Document role responsibilities
- Train users on their permissions
- Audit role assignments regularly
- Use clear role naming
Testing
Testing
- Test each role’s access paths
- Verify denial cases
- Test entity-level isolation
- Regular security reviews
Related Documentation
- Authentication - How users authenticate
- Database Schema - Tables and RLS policies
- User Roles - Detailed role documentation