ShipMySaaS
Features
Saved times
Demo
Pricing
Blog
Documentation
Features
Saved times
Demo
Pricing
Blog
Documentation

Security and permissions in ShipMySaaS

ShipMySaaS, powered by Wabe, provides a robust and granular security system to manage permissions effectively. This ensures your application remains secure while allowing for flexible class-level and object-level access control.

Defining roles

In your application, you can define a list of roles to manage user permissions. For example:

  • Admin: Has elevated access to manage the application.
  • Client: Regular users with restricted access.

These roles form the foundation of the permission system.

server.ts
const wabeApp = new Wabe<BackTypes>({
  authentication: {
    //...
    roles: ['Admin', 'Client'],
  }
})

Two levels of permission management

Wabe supports two levels of permission management:

1. Class-level permissions

Permissions can be defined for entire classes in your schema. For example:

  • Update permission: Only Admins can update a particular class.
  • Delete restriction: No one, except the root client, can delete objects in a specific class.

This allows you to control access to broad categories of data.

2. Object-level permissions

Permissions can also be defined for individual objects within a class. For instance:

  • An object can only be accessed by specific users (e.g., User A or User B) or roles (e.g., Admin).
  • This is particularly useful for sensitive data like user profiles. For example:
    • A user can access their own User object but cannot access another user's data.
    • Admins, however, may have access to all user data.

Object-level permissions provide fine-grained control, ensuring data is accessible only to authorized users.

Example

Here is the example of a User class :

src/schemas/classes/user.ts
export const User: ClassInterface<BackTypes> = {
  name: 'User',
  // ...
  permissions: {
    // Read an user need to be an authenticated Admin / Client
    read: {
      authorizedRoles: ['Admin', 'Client'],
      requireAuthentication: true,
    },
    // Update an user need to be authenticated Admin / Client
    update: {
      authorizedRoles: ['Admin', 'Client'],
      requireAuthentication: true,
    },
    // Delete an user need to be authenticated Admin / Client
    delete: {
      authorizedRoles: ['Admin', 'Client'],
      requireAuthentication: true,
    },
    // Create is not specified, by default everyone can create an User (the create field is natively add in Wabe)
    acl: {
      // User can be read / update only by himself or admin
      authorizedUsers: {
        read: ['self'],
        write: ['self'],
      },
      authorizedRoles: {
        read: ['Admin'],
        write: ['Admin'],
      },
    },
  },
}

You can define more specific ACL rules for each objects using Wabe hooks if you need but there is an interface that cover the most common use cases

For further details, consult the Wabe Documentation.