How to implement RBAC with Meilisearch
This guide is intended for both advanced and medium-level developers and will provide a clear roadmap to managing data access efficiently in your application.
Understanding Role-Based Access Control
Role-Based Access Control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your enterprise. In the context of an application, it refers to controlling which users can access what information, ensuring data privacy and security.
Meilisearch provides an elegant solution to RBAC: tenant tokens. Tenant tokens allow you to easily limit a user's access to the specific data they are permitted to view.
Implementing RBAC in a Notion-like Application with Meilisearch
Let's illustrate this concept using an example inspired by Notion, the all-in-one workspace where you can write, plan, collaborate, and get organized.
In our simplified version of Notion, users belong to a workspace, and each workspace contains pages. Some users may have access to certain pages, while others may not.
A page could be represented as follows:
{
"id": "477f110a-848a-4c23-969d-e7ff7a648c65",
"workspace_id": "c3d3e966-60e2-4390-9d49-0a9d60f8f02d",
"path": "/knowledge base/hello world",
"title": "Hello World",
"content": "#This is the first page",
"can_view": [
"ec6dfb90-2e89-4912-8e01-a25bb2a5a524",
"b315c817-b3c4-4604-bd1f-122e5e452c91",
"45c233cd-8160-4a38-8347-b13bc4709345",
"ab58453d-6d56-496d-a5fa-ddb7c76b5a29",
"d6de8463-5514-4bfe-90ba-471fbe9a23c6",
],
"created_at": 1686512258,
"updated_at": 1686512329,
}
The can_view
attribute is a list of all user_id
that have access to this page.
Next, you'll need to create a pages
index and add the following settings:
{
"displayedAttributes": [
"id",
"path",
"title",
"updated_at"
],
"searchableAttributes": [
"title",
"content"
],
"filterableAttributes": [
"workspace_id",
"can_view"
],
"sortableAttributes": [
"created_at",
"updated_at"
]
}
Here's a brief explanation of these attributes:
displayedAttributes
: The attributes shown in the search results of your application. In this case, we display the pageid
,path
,title
, andupdated_at
searchableAttributes
: The attributes that can be searched. For a Notion-like app,title
andcontent
of a page would be most relevantfilterableAttributes
: These are the attributes you can filter by. We've includedworkspace_id
andcan_view
to control access to pages based on the workspace and user permissionssortableAttributes
: These are the attributes by which you can sort your search results. We've includedcreated_at
andupdated_at
to support sorting pages by creation and modification dates
Creating tenant tokens
With your Meilisearch configuration in place, the next step is to create a new tenant token for each user. If you don't have particular security concerns, you can omit the expiration date to simplify your onboarding process.
The crucial part of the tenant tokens is the searchRules
. In our example, you'll add the following rule:
{
"pages": {
"filter": "workspace_id = c3d3e966-60e2-4390-9d49-0a9d60f8f02d && can_view = 45c233cd-8160-4a38-8347-b13bc4709345"
}
}
With the generated token, your search will restrict access based on workspace_id
and can_view
(user’s ID), so users will only see pages they have access to.
Store this token in your primary data store (Postgres, MySQL, etc.). This mechanism is similar to those used in tools like Stripe.
Load this key into local storage each time a user logs into your app, and use it for searches, thereby ensuring that each user only has access to the data they should.
Wrapping up
Implementing RBAC with Meilisearch allows you to create applications with fine-grained access controls, ensuring that users only have access to the data they are permitted to see. By following this guide, you can improve the data security and privacy of your application while still providing a seamless search experience to your users. If you have any question, you can join us on Discord.
Happy coding!
For more things Meilisearch, subscribe to our newsletter. You can learn more about our product by checking out our roadmap and participating in our product discussions.