App of the Week Winner - 6/2/2021 (RBAC Permission Layer w/ GraphQL and Retool)

This weeks app of the week award winner is..


Tristan Cartledge (@Tristan_Curve) for his role based access control permission layer that he built to manage roles across his GraphQL API and Retool.

Tristan - thanks so much for sharing with the community and keep an eye out for a Retool swag bundle coming your way! :slight_smile:

Here is his post about the app:

So the story goes:

  1. We use Apollo GraphQL as our API layer and use federated microservices for powering this.
  2. Each microservice registers with a gateway and part of that registration is registering the domains that service exposes, these domains control access to the API though requiring a certain domain to be registered to the authenticated user. We can use this to control access per query/mutation or even to specific fields in entities.
  3. We use to build our GraphQL API and it comes with some great middleware support for building the above RBAC controls on the API.
  4. The domains that the services register are then stored and later retrieved by the Retool Permissions Management tool you can see in the screenshots I provided.
  5. This tool allows these domains to be registered to groups which represent different teams within our organisation.
  6. Then using the Retool Agent Management tool in the screenshots we can assign groups to particular agents using the tooling which gives them an effective list of domains they are allowed access to.
  7. When these groups are registered with an agent we also update our Identity Provider (IDP) that we use for SSO with Retool, and therefore these groups become available within the JWT access token provided by the IDP to Retool and we use for further authentication with our API.
  8. As these groups are added to the JWT Retool JIT provisions the users into the appropriate groups within its own permission model and we can assigned apps to particular groups
  9. Then we built a module that will query the API for the agents domains, and return the list of available domains as an output from the module.
  10. We can then place this module in any app that needs to disable buttons or hide components passed on permissions and they can just check the available domains for the one they are interested in within their Disable when or Hide when properties.