+1(613)852-9202 [email protected]
Select Page

Multi-Role JSON Management System

by | Dec 28, 2025 | Project | 0 comments

This project is a high-performance, secure file management showcase. It demonstrates the industry-standard Decoupled Authorization architecture, separating Identity Authentication (Auth0) from Granular Access Control (Cerbos).

link: https://github.com/ChrisXHLeung/jsonManagerment_Cerbos

Solution in detail: https://www.chriscn.cn/decoupled-abac-architecture/

πŸ—οΈ System Architecture

The system operates as a Policy Enforcement Point (PEP), delegating all logic to a centralized Policy Decision Point (PDP).

  1. Identity Layer (OIDC): Auth0 handles user sessions and issues JWTs containing role claims.
  2. Authorization Layer (ABAC): Cerbos evaluates requests against YAML-defined policies using real-time attributes (time, filename).
  3. Application Layer (PEP): A Node.js service that manages JSON I/O and enforces the decisions received from Cerbos via gRPC.

πŸ‘₯ Access Control Logic (ABAC)

Unlike traditional static RBAC, this system uses Attribute-Based Access Control (ABAC) to enforce dynamic rules.

πŸ” Global Security Guardrails

  • Sensitivity Filter: Any file matching (?i)sensitive in its name is strictly isolated. No role (including Admin) can delete or modify these files via the standard API path.
  • Release Filter: The User role is restricted to a “Discovery Mode,” only seeing files tagged with release.

πŸ“Š Permission Matrix

Action User (Observer) Member (Contributor) Admin (Superuser)
List & Read βœ… release files only βœ… All non-sensitive βœ… Full Access
Create ❌ Denied βœ… Work Hours OnlyΒΉ βœ… Full Access
Update ❌ Denied ❌ Denied ⚠️ Non-sensitive only
Delete ❌ Denied ❌ Denied ⚠️ Non-sensitive only

ΒΉ Time Attribute: Member create actions are restricted to Mon–Fri, 09:00–17:00 UTC.

πŸ“‚ Repository Structure

.
β”œβ”€β”€ PDP/                   # Policy Decision Point (PDP)
β”‚   β”œβ”€β”€ conf.yaml          # Cerbos server configuration
β”‚   └── policies/          # ABAC/RBAC logic defined in YAML
└── PEP/                   # Policy Enforcement Point (PEP)
    β”œβ”€β”€ storage/           # Flat-file JSON database
    β”œβ”€β”€ views/             # UI Templates (EJS)
    └── index.js           # Express logic & Cerbos gRPC Client

πŸ› οΈ Tech Stack Highlights

  • Communication: gRPC for ultra-low latency between API and Authorization engine.
  • Identity: OpenID Connect (OIDC) flow with PKCE.
  • Policy Engine: Cerbos – stateless, scalable, and audit-ready.
  • Express Middleware: Custom middleware to bridge JWT claims to Cerbos principal context.

Submit a Comment

Your email address will not be published. Required fields are marked *