This weeks app of the week award winner is..
(Drummmmrooolllll.....)
Tristan Cartledge (@Tristan_Curve) for his role based access control permission layer that he built to manage roles across his GraphQL API and Retool.
Tristan - thanks so much for sharing with the community and keep an eye out for a Retool swag bundle coming your way!
Here is his post about the app:
So the story goes:
- We use Apollo GraphQL as our API layer and use federated microservices for powering this.
- Each microservice registers with a gateway and part of that registration is registering the
domains
that service exposes, these domains control access to the API though requiring a certaindomain
to be registered to the authenticated user. We can use this to control access per query/mutation or even to specific fields in entities. - We use https://typegraphql.com/ to build our GraphQL API and it comes with some great middleware support for building the above RBAC controls on the API.
- The
domains
that the services register are then stored and later retrieved by theRetool Permissions Management
tool you can see in the screenshots I provided. - This tool allows these
domains
to be registered togroups
which represent different teams within our organisation. - Then using the
Retool Agent Management
tool in the screenshots we can assigngroups
to particular agents using the tooling which gives them an effective list ofdomains
they are allowed access to. - When these
groups
are registered with an agent we also update ourIdentity Provider (IDP)
that we use for SSO with Retool, and therefore these groups become available within the JWT access token provided by the IDP to Retool and we use for further authentication with our API. - As these groups are added to the JWT Retool JIT provisions the users into the appropriate groups within its own permission model and we can assigned apps to particular groups
- Then we built a module that will query the API for the agents domains, and return the list of available domains as an output from the module.
- We can then place this module in any app that needs to disable buttons or hide components passed on permissions and they can just check the available domains for the one they are interested in within their
Disable when
orHide when
properties.