Process Flow - Role-based access control pattern
User tries to access resource
Check user's role
Role allowed?
Grant access
Access result
User requests access, system checks their role, then grants or denies access based on allowed roles.
0
0
Role-based access control pattern in Firebase - Step-by-Step Execution
Execution Sample
Firebase
match /documents/{docId} {
allow read: if request.auth.token.role == 'admin';
allow write: if request.auth.token.role == 'editor';
}This Firebase rule allows reading only if the user role is 'admin' and writing only if the role is 'editor'.
Process Table
| Step | User Role | Requested Action | Condition Checked | Access Result |
|---|---|---|---|---|
| 1 | admin | read | role == 'admin' | Access granted |
| 2 | admin | write | role == 'editor' | Access denied |
| 3 | editor | read | role == 'admin' | Access denied |
| 4 | editor | write | role == 'editor' | Access granted |
| 5 | viewer | read | role == 'admin' | Access denied |
| 6 | viewer | write | role == 'editor' | Access denied |
💡 Access is granted only when the user's role matches the required role for the action.
Status Tracker
| Variable | Start | After Step 1 | After Step 2 | After Step 3 | After Step 4 | After Step 5 | After Step 6 |
|---|---|---|---|---|---|---|---|
| request.auth.token.role | undefined | admin | admin | editor | editor | viewer | viewer |
| requested_action | undefined | read | write | read | write | read | write |
| access_granted | false | true | false | false | true | false | false |
Key Moments - 3 Insights
Why does an 'admin' user get denied write access in step 2?
Because the write permission requires the role to be 'editor', and the user's role is 'admin' (see execution_table step 2).
Can a 'viewer' user read documents according to these rules?
No, because read access is only allowed for 'admin' role, so 'viewer' role is denied (see execution_table steps 5 and 6).
What happens if the user's role is missing or undefined?
Access will be denied since the role check conditions will fail, ensuring no access without a valid role.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the access result for an 'editor' trying to read?
💡 Hint
Check execution_table row 3 under 'Access Result' column.
At which step does the condition 'role == "editor"' evaluate to true?
💡 Hint
Look at execution_table rows where 'Condition Checked' is 'role == "editor"' and see when access is granted.
If we add a new role 'viewer' with read access, how would step 5 change?
💡 Hint
Consider how adding 'viewer' role to read permission affects access in execution_table step 5.
Concept Snapshot
Role-based access control (RBAC) uses user roles to allow or deny access. In Firebase, rules check request.auth.token.role. Access is granted only if the user's role matches the required role. Separate rules can control read and write permissions. If role is missing or mismatched, access is denied.
Full Transcript
This visual execution shows how role-based access control works in Firebase security rules. When a user requests access to a document, the system checks their role from the authentication token. If the role matches the required role for the requested action (read or write), access is granted. Otherwise, access is denied. For example, only users with the 'admin' role can read, and only users with the 'editor' role can write. Users with other roles like 'viewer' are denied both read and write access. This pattern ensures that users only perform actions allowed by their roles, improving security and control.