https://supertokens.com/ logo
Title
p

PitchAsh

02/20/2023, 11:36 AM
On the roles and permissions recipie, is there support for associating roles with another object? For example, on our system users belong to a number of teams, and have a role within that team so the same roles and permissions need to be duplicated for each team. Is there a way to support that within the recipe or would I have to build it entirely separately?
r

rp

02/20/2023, 12:20 PM
hey @PitchAsh you can associate roles with any random ID - it doesn't have to be the user ID.
If you want to add roles based on the user's "team" into their logged in session, you may want to override the getRoles function in the userroles recipe to fetch the teamId for the input user ID before querying the original implementation to get the roles associated with that teamId
p

PitchAsh

02/20/2023, 12:30 PM
So if we have roles, "admin, member, guest" and 1000 teams, we would need 3000 different roles?
r

rp

02/20/2023, 12:34 PM
not really. You can associate those roles with the teamIds directly.
so the number of roles are still 3
but instead of doing userId role you do teamId role
p

PitchAsh

02/20/2023, 12:35 PM
how do i make user A an admin on one team and a member of another?
r

rp

02/20/2023, 12:36 PM
so instead of mapping users to roles directly, you can map a string like
"<userid>-<teamid>"
role
p

PitchAsh

02/20/2023, 12:39 PM
roles get aissnged to a user though right?
r

rp

02/20/2023, 12:39 PM
not necessarily. you can assign them to any unique ID
p

PitchAsh

02/20/2023, 12:40 PM
so wouldnt we need "-" so.. the 3000 roles i mentioned and I then assign "teamA-admin" and "teamB-member" roles to user A ?
r

rp

02/20/2023, 12:41 PM
the number of roles is still just 3. But the number of role mappings are 3000
p

PitchAsh

02/20/2023, 12:42 PM
ok.. so how do I add this users roles to the session if its "-" ? I would have to iterate over and make multiple calls for every team?
SO I would need to record the team memberships locally..
r

rp

02/20/2023, 12:43 PM
so you want to override the getRoles function in the user roles recipe. This function takes in a userID. Now you can pass in the current teamId to it as well (using userContext), and then call the original impl with the
<userid>-<teamid>
string
and if a user switches teams in your UI, then call the session.fetchAndSetClaim function once more with the teamId (in the userContext) to the new teamId
p

PitchAsh

02/20/2023, 12:45 PM
ok that works in the case where we have a selected team..
but i still need to maintain the team membership relationships.. i cant query all "-"
r

rp

02/20/2023, 12:46 PM
oh yea. If you want to get a union of all of them, then you would need to query all (based on the current approach)
or, you could also maintain a separate mapping of just userId roles
and if you need all, just query using userId, and if you need per team per user, query based on -
p

PitchAsh

02/20/2023, 12:48 PM
probably easier to just do all the rbac locally in this case
If i have to track locally the team membership data.. that would have the role id on it anyway.
r

rp

02/20/2023, 12:49 PM
Hmmm. Fair enough. How could we have made this simpler for you? What’s the missing “data structure” in our case?
p

PitchAsh

02/20/2023, 12:51 PM
if we had second dimension on the role it would work
so userId + "teamId" -> role
so 3 roles.. but I can assign the same role to the same user mutiple times with another property
enforce it being unqiue on multiple keys.. so i can only add 1 role for each user for each value of the second dimention
so -... so userId is one current dimension, teamid would be the second one.. does that make sense?
r

rp

02/20/2023, 1:57 PM
I see. Makes sense! Thanks
p

PitchAsh

02/20/2023, 2:49 PM
Is this something that might get added?
r

rp

02/20/2023, 2:51 PM
Not sure yet. We have a LOT of other features already in our roadmap. So not anytime soon anyway.
But if you can open a GitHub issue about this in our core repo, describing the feature, that would be good
p

PitchAsh

02/20/2023, 2:53 PM
Ok thanks.. Maybe ill work with 3 roles and the permissions in supertokens and maintain the userId + team -> role mapping my side
whats the best function / api to override to implement our logic when building the session claims?
r

rp

02/20/2023, 3:06 PM
So if you want to reuse our pre built session claims (UserRolesClaim and PermissionsClaim), then you should override the recipe function from the user roles recipe - since our claims use those functions as the source of their info. If you want to build your own session claim and validator, check this doc out: https://supertokens.com/docs/session/common-customizations/sessions/claims/claim-validators
p

PitchAsh

02/20/2023, 3:23 PM
Im struggling to understand why we would use the more complex claim validator methods rather than the simpler mergeIntoAccessTokenPayload method..
r

rp

02/20/2023, 3:23 PM
well, you could just use
mergeIntoAccessTokenPayload
as well.
The reason for a complex claim validator are: - Auto refresh as and when required, based on the validator's use (on the frontend or backend) - So that we (in our sdks) can add custom claim and validators to the session verification process based on your config.
p

PitchAsh

02/20/2023, 3:25 PM
doesnt mergeIntoAccessTokenPayload refresh to the frontend immediatly?
r

rp

02/20/2023, 3:26 PM
yea it does (if called on the session object). But if you update the roles offline, then it won't update the session unless you call mergeIntoAccessTokenPayload on that session as well
and mergeIntoAccessTokenPayload on a session can happen offline (using the session handle), but then it will reflect on the session only after a session refresh
so if you want to build logic like i need to update the roles offline, and i want supertokens to keep refreshing the claims every 5 mins (for example), then using the complex validators makes sense,.
p

PitchAsh

02/20/2023, 3:27 PM
ok.. so the claim validator means that if a super user changes anoter users roles / permissions.. then it will refresh for that user without us having to check and potentially call mergeIntoAccessTokenPayload on every api endpoint..
r

rp

02/20/2023, 3:27 PM
correct. Depending on how the claim validators are used in the APIs (they have a maxAgeInSeconds config)
p

PitchAsh

02/20/2023, 3:29 PM
ok so a claim validator seems like the way forwasrd.. what i need to do i think is expand the roles claim into a 2 dimensional array..
r

rp

02/20/2023, 3:29 PM
Right.
There could be other ways to solve this problem compared to what i mentioned previously.. maybe better ways as well.
p

PitchAsh

02/20/2023, 3:37 PM
if a permission is added to a role does this reflect onto any logged in users? at some point the claim will refresh and the new permission will be there?
r

rp

02/20/2023, 4:03 PM
> at some point the claim will refresh and the new permission will be there? Correct. You can force refreshing of permissions / claim on certain "sensitive" APIs by setting a very log maxAgeInSeconds when using the claim validator functions.