Role-Based Access Control (RBAC)

Managing permissions and access levels in LibreApps Desktop.

Overview

LibreApps Desktop uses Role-Based Access Control (RBAC) to ensure that users can only perform actions and access data that they are authorized for. Roles are defined in Keycloak and enforced in both the frontend and backend.

Core Roles

Admin: Can manage users, organizations, and system-wide settings.
User: Can access and modify data within their own organization.
Viewer: Can view data but cannot make any changes.

Enforcement in the Backend

Backend services use Spring Security's @PreAuthorize annotation to restrict access to specific API endpoints based on the user's roles.

@RestController
@RequestMapping("/api/admin")
public class AdminController {

    @GetMapping("/users")
    @PreAuthorize("hasRole('admin')")
    public List<User> getAllUsers() {
        // ...
    }
}

Enforcement in the Frontend

The LibreApps Desktop frontend uses the user's roles to conditionally render UI elements and protect routes.

import { useAuth } from '@/hooks/use-auth';

export function AdminPanel() {
  const { hasRole } = useAuth();

  if (!hasRole('admin')) {
    return <div>Access Denied</div>;
  }

  return <div>Welcome to the Admin Panel</div>;
}

Best Practices

✅ Do this: Always enforce permissions on the backend; frontend checks are for user experience only.
✅ Do this: Use the principle of least privilege: give users only the permissions they need to do their job.
❌ Don't do this: Hardcode role names in your application logic; use constants or a configuration file.

Overview​

Core Roles​

Enforcement in the Backend​

Enforcement in the Frontend​

Best Practices​

Overview

Core Roles

Enforcement in the Backend

Enforcement in the Frontend

Best Practices