How to implement RBAC with Meilisearch

This guide is intended for both advanced and medium-level developers and will provide a clear roadmap to managing data access efficiently in your application.

Understanding Role-Based Access Control

Role-Based Access Control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your enterprise. In the context of an application, it refers to controlling which users can access what information, ensuring data privacy and security.

Meilisearch provides an elegant solution to RBAC: tenant tokens. Tenant tokens allow you to easily limit a user's access to the specific data they are permitted to view.

Implementing RBAC in a Notion-like Application with Meilisearch

Let's illustrate this concept using an example inspired by Notion, the all-in-one workspace where you can write, plan, collaborate, and get organized.

In our simplified version of Notion, users belong to a workspace, and each workspace contains pages. Some users may have access to certain pages, while others may not.

A page could be represented as follows:

{
    "id": "477f110a-848a-4c23-969d-e7ff7a648c65",
    "workspace_id": "c3d3e966-60e2-4390-9d49-0a9d60f8f02d",
    "path": "/knowledge base/hello world",
    "title": "Hello World",
    "content": "#This is the first page",
    "can_view": [
        "ec6dfb90-2e89-4912-8e01-a25bb2a5a524",
        "b315c817-b3c4-4604-bd1f-122e5e452c91",
        "45c233cd-8160-4a38-8347-b13bc4709345",
        "ab58453d-6d56-496d-a5fa-ddb7c76b5a29",
        "d6de8463-5514-4bfe-90ba-471fbe9a23c6",
    ],
    "created_at": 1686512258,
    "updated_at": 1686512329,
}

The can_view attribute is a list of all user_id that have access to this page.

📖
Learn how to update your settings in the documentation.

Next, you'll need to create a pages index and add the following settings:

{
    "displayedAttributes": [
        "id",
        "path",
        "title",
        "updated_at"
    ],
    "searchableAttributes": [
        "title",
        "content"
    ],
    "filterableAttributes": [
        "workspace_id",
        "can_view"
    ],
    "sortableAttributes": [
        "created_at",
        "updated_at"
    ]
}

Here's a brief explanation of these attributes:

  • displayedAttributes: The attributes shown in the search results of your application. In this case, we display the page id, path, title, and updated_at
  • searchableAttributes: The attributes that can be searched. For a Notion-like app, title and content of a page would be most relevant
  • filterableAttributes: These are the attributes you can filter by. We've included workspace_id and can_view to control access to pages based on the workspace and user permissions
  • sortableAttributes: These are the attributes by which you can sort your search results. We've included created_at  and updated_at to support sorting pages by creation and modification dates

Creating tenant tokens

With your Meilisearch configuration in place, the next step is to create a new tenant token for each user. If you don't have particular security concerns, you can omit the expiration date to simplify your onboarding process.

The crucial part of the tenant tokens is the searchRules. In our example, you'll add the following rule:

{
    "pages": {
        "filter": "workspace_id = c3d3e966-60e2-4390-9d49-0a9d60f8f02d && can_view = 45c233cd-8160-4a38-8347-b13bc4709345"
    }
}

With the generated token, your search will restrict access based on workspace_id and can_view (user’s ID), so users will only see pages they have access to.

Store this token in your primary data store (Postgres, MySQL, etc.). This mechanism is similar to those used in tools like Stripe.

Load this key into local storage each time a user logs into your app, and use it for searches, thereby ensuring that each user only has access to the data they should.

💡
Seeking a detailed, step-by-step tutorial? Explore our in-depth article on multi-tenancy.

Wrapping up

Implementing RBAC with Meilisearch allows you to create applications with fine-grained access controls, ensuring that users only have access to the data they are permitted to see. By following this guide, you can improve the data security and privacy of your application while still providing a seamless search experience to your users. If you have any question, you can join us on Discord.

Happy coding!

For more things Meilisearch, subscribe to our newsletter. You can learn more about our product by checking out our roadmap and participating in our product discussions.